Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.8.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b_2.0.8.exe
renamed because original name is a hash value
Original sample name:_2.0.8.exe
Analysis ID:1579795
MD5:65296edf39a492d0d9dbe2c7b6735df7
SHA1:b256b2f4f2537239b244e131c33418bbf2723b8b
SHA256:07287146cb055a3a593306fcb09d498f6b2a533f68aeb43e28ebccd2fc1c1e3f
Tags:backdoorexesilverfoxwinosuser-zhuzhu0009
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b_2.0.8.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" MD5: 65296EDF39A492D0D9DBE2C7B6735DF7)
    • #U5b89#U88c5#U52a9#U624b_2.0.8.tmp (PID: 7296 cmdline: "C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$2043A,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)
      • powershell.exe (PID: 7312 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7508 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b_2.0.8.exe (PID: 7596 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT MD5: 65296EDF39A492D0D9DBE2C7B6735DF7)
        • #U5b89#U88c5#U52a9#U624b_2.0.8.tmp (PID: 7632 cmdline: "C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$30270,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)
          • 7zr.exe (PID: 7724 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7820 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7724 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 7768 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7692 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7708 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7904 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7920 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7936 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7956 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8032 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8100 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8168 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6036 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5796 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6956 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6212 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6644 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7516 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5764 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7592 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7288 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7440 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7468 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7492 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7844 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7976 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8012 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8084 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1892 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5544 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2500 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7192 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6008 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6504 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5024 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7416 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2680 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3384 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1364 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7224 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7784 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$2043A,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ParentProcessId: 7296, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7312, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7708, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$2043A,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ParentProcessId: 7296, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7312, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7708, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$2043A,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ParentProcessId: 7296, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7312, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.1% probability
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1828827573.0000000002260000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1828517767.0000000003240000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C15AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C15AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00296868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00296868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00297496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00297496
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004060000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drString found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drString found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drString found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drString found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drString found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697492443.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697866454.000000007F5BB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000000.1699373627.0000000000F51000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000000.1791382910.00000000011FD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697492443.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697866454.000000007F5BB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000000.1699373627.0000000000F51000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000000.1791382910.00000000011FD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.drStatic PE information: section name: .=~
Source: update.vac.6.drStatic PE information: section name: .=~
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3886
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C165120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C165120
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C165D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C165D60
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3A6A
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE39CF
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3D62
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3D18
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BFE3C62
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6BFE1950
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6BFE4754
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFF4A276_2_6BFF4A27
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE47546_2_6BFE4754
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C1618806_2_6C161880
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C166A436_2_6C166A43
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C1C6CE06_2_6C1C6CE0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C213D506_2_6C213D50
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C219E806_2_6C219E80
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C198EA16_2_6C198EA1
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C1B2EC96_2_6C1B2EC9
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C20E8106_2_6C20E810
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C22A9306_2_6C22A930
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C1989726_2_6C198972
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C2199F06_2_6C2199F0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C20FA506_2_6C20FA50
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C211AA06_2_6C211AA0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C224AA06_2_6C224AA0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C20DAD06_2_6C20DAD0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C1B0B666_2_6C1B0B66
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C1A0BCA6_2_6C1A0BCA
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C1B540A6_2_6C1B540A
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C2125806_2_6C212580
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C21F5C06_2_6C21F5C0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C2196E06_2_6C2196E0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C2397006_2_6C239700
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C19C7CF6_2_6C19C7CF
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C2100206_2_6C210020
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C2237506_2_6C223750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002D81EC10_2_002D81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002AE00A10_2_002AE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003181C010_2_003181C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032824010_2_00328240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003122E010_2_003122E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0033230010_2_00332300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032C3C010_2_0032C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FE49F10_2_002FE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003204C810_2_003204C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003125F010_2_003125F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030865010_2_00308650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030A6A010_2_0030A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003066D010_2_003066D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030C95010_2_0030C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002E094310_2_002E0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032E99010_2_0032E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00312A8010_2_00312A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002EAB1110_2_002EAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00308C2010_2_00308C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00316CE010_2_00316CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00320E0010_2_00320E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00324EA010_2_00324EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002F10AC10_2_002F10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031D08910_2_0031D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002FB12110_2_002FB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032112010_2_00321120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031518010_2_00315180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030B18010_2_0030B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030D1D010_2_0030D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003291C010_2_003291C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032720010_2_00327200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032D2C010_2_0032D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031F3A010_2_0031F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002BB3E410_2_002BB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002F53F310_2_002F53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002953CF10_2_002953CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032F3C010_2_0032F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031F42010_2_0031F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030741010_2_00307410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032D47010_2_0032D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002DD49610_2_002DD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003254D010_2_003254D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032353010_2_00323530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0033351A10_2_0033351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030F50010_2_0030F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029157210_2_00291572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032155010_2_00321550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032F59910_2_0032F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0033360110_2_00333601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002E965210_2_002E9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0031D6A010_2_0031D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A976610_2_002A9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002997CA10_2_002997CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003277C010_2_003277C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002BF8E010_2_002BF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030F91010_2_0030F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032D9E010_2_0032D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00291AA110_2_00291AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002E3AEF10_2_002E3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00317AF010_2_00317AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002ABAC910_2_002ABAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00317C5010_2_00317C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002ABC9210_2_002ABC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0030FDF010_2_0030FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00315E8010_2_00315E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00315F8010_2_00315F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: String function: 6C199240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: String function: 6C236F10 appears 415 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00291E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002928E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0032FB10 appears 720 times
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000000.1695609321.0000000000D09000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697492443.00000000029EE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697866454.000000007F8BA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeBinary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.8.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal80.evad.winEXE@144/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C165D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C165D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00299313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00299313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002A3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_002A3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00299252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00299252
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C165240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6C165240
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\is-QH46T.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8032:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2844:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7752:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7984:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$2043A,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe"
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$30270,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$2043A,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp "C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$30270,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic file information: File size 5707365 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1828827573.0000000002260000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1828517767.0000000003240000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_003157D0
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: real checksum: 0x0 should be: 0x57356c
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .=~
Source: is-DQL6D.tmp.6.drStatic PE information: section name: .xdata
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .=~
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C1686EB push ecx; ret 6_2_6C1686FE
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C010F00 push ss; retn 0001h6_2_6C010F0A
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C236F10 push eax; ret 6_2_6C236F2E
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C19B9F4 push 004AC35Ch; ret 6_2_6C19BA0E
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C237290 push eax; ret 6_2_6C2372BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002945F4 push 0033C35Ch; ret 10_2_0029460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032FB10 push eax; ret 10_2_0032FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0032FE90 push eax; ret 10_2_0032FEBE
Source: update.vac.1.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.drStatic PE information: section name: .=~ entropy: 7.19316283520878
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ABA5R.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6FDFL.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6FDFL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\is-DQL6D.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeFile created: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ABA5R.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ABA5R.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6FDFL.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6090Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3715Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpWindow / User API: threadDelayed 599Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpWindow / User API: threadDelayed 551Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ABA5R.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6FDFL.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6FDFL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-DQL6D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ABA5R.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C15AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C15AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00296868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00296868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00297496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00297496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00299C60 GetSystemInfo,10_2_00299C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000002.1802980480.000000000140D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6BFE3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6BFE3886
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C170181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C170181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_003157D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_003157D0
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C179D35 mov eax, dword ptr fs:[00000030h]6_2_6C179D35
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C179D66 mov eax, dword ptr fs:[00000030h]6_2_6C179D66
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C16F17D mov eax, dword ptr fs:[00000030h]6_2_6C16F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C168CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C168CBD
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C170181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C170181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmpCode function: 6_2_6C237720 cpuid 6_2_6C237720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0029AB2A GetSystemTimeAsFileTime,10_2_0029AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00330090 GetVersion,10_2_00330090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory321
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579795 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 80 97 Found driver which could be used to inject code into processes 2->97 99 PE file contains section with special chars 2->99 101 AI detected suspicious sample 2->101 103 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->103 11 #U5b89#U88c5#U52a9#U624b_2.0.8.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 95 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, PE32 11->95 dropped 20 #U5b89#U88c5#U52a9#U624b_2.0.8.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 26 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\update.vac, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 #U5b89#U88c5#U52a9#U624b_2.0.8.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 25 other processes 34->54 signatures7 process8 file9 85 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, PE32 36->85 dropped 56 #U5b89#U88c5#U52a9#U624b_2.0.8.tmp 4 16 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\update.vac, PE32 56->87 dropped 89 C:\Program Files (x86)\...\trash (copy), PE32+ 56->89 dropped 91 C:\Program Files (x86)\...\is-DQL6D.tmp, PE32+ 56->91 dropped 93 3 other files (1 malicious) 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 115 Contains functionality to hide a thread from the debugger 56->115 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 6 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 conhost.exe 64->71         started        73 sc.exe 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 73->77         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b_2.0.8.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc11%ReversingLabs
C:\Program Files (x86)\Windows NT\is-DQL6D.tmp0%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6FDFL.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6FDFL.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ABA5R.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ABA5R.tmp\update.vac11%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://aria2.github.io/Usage:#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drfalse
    high
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b_2.0.8.exefalse
      high
      https://github.com/aria2/aria2/issuesReport#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drfalse
        high
        http://www.metalinker.org/#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drfalse
          high
          https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697492443.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697866454.000000007F5BB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000000.1699373627.0000000000F51000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000000.1791382910.00000000011FD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drfalse
            high
            https://aria2.github.io/#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drfalse
              high
              https://github.com/aria2/aria2/issues#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drfalse
                high
                https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697492443.00000000028D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.exe, 00000000.00000003.1697866454.000000007F5BB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000000.1699373627.0000000000F51000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000006.00000000.1791382910.00000000011FD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.8.tmp.0.drfalse
                  high
                  http://www.metalinker.org/basic_string::_M_construct#U5b89#U88c5#U52a9#U624b_2.0.8.tmp, 00000001.00000003.1788557502.0000000004509000.00000004.00001000.00020000.00000000.sdmp, is-DQL6D.tmp.6.drfalse
                    high
                    No contacted IP infos
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1579795
                    Start date and time:2024-12-23 09:25:01 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 3s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:110
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Critical Process Termination
                    Sample name:#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                    renamed because original name is a hash value
                    Original Sample Name:_2.0.8.exe
                    Detection:MAL
                    Classification:mal80.evad.winEXE@144/32@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 76%
                    • Number of executed functions: 65
                    • Number of non-executed functions: 77
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                    • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 20.109.210.53
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b_2.0.8.exe
                    No simulations
                    No context
                    No context
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                            #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):831200
                                      Entropy (8bit):6.671005303304742
                                      Encrypted:false
                                      SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                      MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                      SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                      SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                      SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Joe Sandbox View:
                                      • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                                      • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.999215745260699
                                      Encrypted:true
                                      SSDEEP:6144:Dnbtt5aahwi4Ulbr03HqdUCN6/MTiaTbGyT3t5SNbmMMnfrQQn1:7bz5aEwnUlXdig1GOqMnjQk
                                      MD5:27553992B3783B5FA91E0E458FDC0EC6
                                      SHA1:4B9942712CA58096EDC8EBF6C2768118D484D642
                                      SHA-256:085A6E2610BAB0693097B27904CCFAD2653414660196498904013DE4E2EDA58C
                                      SHA-512:A695CA377F745EF09A8DBBA1A8513D7C76622A7112ABCC37120BBF430866B2BDE09056CAF6A25F49AFB0FC6C8951FD9DA4AA952AD466CFFCF571DB366BE3B03C
                                      Malicious:false
                                      Preview:.@S......:..,..............Q.5..]Y`W;>I1.........e..V......_D%{...Kgh"-....gp....9r...Y...YUa(...<....<.^..8H..^.Gy.${.%..~..k.v..B.....GWQ...I..n..b.DL...38...3..?" ..E.\..%....>...........)h./.\......._..6..;. ....&....%S?ci.....v.4..[...!.g.9*:;H......L......XDE6"..^..o.7.sa.(......O.B.R.$...'1).U...'.L.@.Q..b....=s.^.H...v.:-...h_d...?...l.Q......(....L...@x..>.f.Y..W.........8.y...m...#...a...............oK.U..*f...5.....7\r..5h...s...V...L.s..`ulZQ.Q'tt...._...x...3/T.=Y.@o.....H>..nZJ.....u.........|9.D8....V..O...Vn.0...P.."....+.k./...*...X_...O...q...h.....8..x.......:..u.>;../.. s.(..;....~.....4....\"..f&.7..D...v:.f ...[...2.A...k,..\....E.}.\...9a.....L.N.W,%...Hj.r)..X..G?.,fZ..p..p....s.1..q..f.:9..8>.......&...r....{.N.......;gF....}....S...AP1e.U-...:.....`.....J.<..}.....T.N.c..8..D.un..!./.....%9Ir.......b..[2.]..6...p.5.,6..N..._b....:.n..=.....)..E..gM...Jx}.Rev..0'..F2.......\c$Cf.ebv.8@,'.....j....e.
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.999215745260699
                                      Encrypted:true
                                      SSDEEP:6144:Dnbtt5aahwi4Ulbr03HqdUCN6/MTiaTbGyT3t5SNbmMMnfrQQn1:7bz5aEwnUlXdig1GOqMnjQk
                                      MD5:27553992B3783B5FA91E0E458FDC0EC6
                                      SHA1:4B9942712CA58096EDC8EBF6C2768118D484D642
                                      SHA-256:085A6E2610BAB0693097B27904CCFAD2653414660196498904013DE4E2EDA58C
                                      SHA-512:A695CA377F745EF09A8DBBA1A8513D7C76622A7112ABCC37120BBF430866B2BDE09056CAF6A25F49AFB0FC6C8951FD9DA4AA952AD466CFFCF571DB366BE3B03C
                                      Malicious:false
                                      Preview:.@S......:..,..............Q.5..]Y`W;>I1.........e..V......_D%{...Kgh"-....gp....9r...Y...YUa(...<....<.^..8H..^.Gy.${.%..~..k.v..B.....GWQ...I..n..b.DL...38...3..?" ..E.\..%....>...........)h./.\......._..6..;. ....&....%S?ci.....v.4..[...!.g.9*:;H......L......XDE6"..^..o.7.sa.(......O.B.R.$...'1).U...'.L.@.Q..b....=s.^.H...v.:-...h_d...?...l.Q......(....L...@x..>.f.Y..W.........8.y...m...#...a...............oK.U..*f...5.....7\r..5h...s...V...L.s..`ulZQ.Q'tt...._...x...3/T.=Y.@o.....H>..nZJ.....u.........|9.D8....V..O...Vn.0...P.."....+.k./...*...X_...O...q...h.....8..x.......:..u.>;../.. s.(..;....~.....4....\"..f&.7..D...v:.f ...[...2.A...k,..\....E.}.\...9a.....L.N.W,%...Hj.r)..X..G?.,fZ..p..p....s.1..q..f.:9..8>.......&...r....{.N.......;gF....}....S...AP1e.U-...:.....`.....J.<..}.....T.N.c..8..D.un..!./.....%9Ir.......b..[2.]..6...p.5.,6..N..._b....:.n..=.....)..E..gM...Jx}.Rev..0'..F2.......\c$Cf.ebv.8@,'.....j....e.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996595860667214
                                      Encrypted:true
                                      SSDEEP:1536:/lBrxiashuLNO1AXWcsxlym3ti9dYMiws64CC1:tl09uLN9XWcsGWMjQ
                                      MD5:BED02A7F3595752B8EB5F0BA75FC4049
                                      SHA1:972F9A2F3D7F2013AEA0301C9D59FCBD28D28D17
                                      SHA-256:BA10B5E5CE9E4E9C365CF935D44445C55915627F4E064A4D562B99DD716EFA01
                                      SHA-512:383AE35A3D3CB74F8748B5F7D2A637FF2F381ED6FC2AF42A751BA3A4DC10DDC009EFE76942312A385F4184D717BD73A0121225E5C9963D94652BBA161F7331C9
                                      Malicious:false
                                      Preview:.@S....,.?pl ..............|.$...v.....Kb{.{-..(P|bY...`H.5...S_k.9y_.oL...>3.^fq6K...r.>ju.......oc...r..|Rr.4C}h. ..T.\.n>Xq...Z.W0..Z.......=..z.y{.B..c.."..c..qJ.R..p....7.(5......K..g8y.~.....kam.1Op..N..z..n.../..R......3....m.....P%..Lo....3.I.j1..X....q{x5.r.!..N..V.&..O.n.u.N.O.f.O..3....rm..t.....w...CuH6ZrL..E...wUe.........{.a.F...#r..?Z.i...k...|d.. .C.G...Y.d.]....(?e.&....9......0..5.........]......3..r+.qV*1Dn.........#.qc......R.yz4<..8..@b.zR...-(...z..ZL_ >.d......3...8P.f.....;.....L.S. .w._..]...[9$...?-j..P...a.....bX~!.1..x...3.Q..%..#N.;.dG...I9...@l..lf.wB......z....4.B.<...88....~L....$.x.Y.h.hm.|Vz...LjR{`.....GC.O.....Y....O7.....Q.XG@+%..P..=MQo..2{.JE..c..2M......#-...d|y..t.A.n|..o........q|...c`.s".Iz.|s.TFa...s}j..|q9.....eE%{7...?L=..K.pG6..&?.`;o..a.+.8c...S.IF.%...L..O|..yX.5Wm}..;b..tu1...:..5F9.v....Z>{D..........D.e.8..o..kD...[j...<..L...;.-.........1LV.3`Y..I....BTx.yYZb...&...F..&....L@.TH.&.n(L......>
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996595860667213
                                      Encrypted:true
                                      SSDEEP:1536:mj0GkM8N47lyeF28eFwvcOcSi2d+9XRy9bCoXVDnCk:XFN4ByE2vOfi2dOIbBlD1
                                      MD5:C929E760F67447FA177B07396506CB37
                                      SHA1:38B24E181AB4FE7D2A4561B7981C52213C711703
                                      SHA-256:21BCE6971B29976BB17DBC49E5E918FAE4004221F2B38E12B592960F1AA3C336
                                      SHA-512:A51DFB40B70AA47278D094C33470F4450302FFCA2558E7397F1C31B46EC174D644BC1112C86B20762D87E7BFCC5046C15DFA8FA56F80BF2A8A31BE8947F70029
                                      Malicious:false
                                      Preview:7z..'....9.........2........<..w,..C^...\..{>.......}.U}....;..G..]eS..m....q. N...._.V}..?l..keH..v.......~.B1._.^...3.1.........M6..v.k.9....P.~.....-.....I.@+....'.Q....AJ./T......Ed.ly.........4..O..~>..\.4Q...A...{zB.. .&N4...Z...L......u8.I:).....).U...../.*.<G.y....6.h.*..B.e./.U...<...9.$.E.j>......./.......=@oK.~.7..i..t..i;.>"q...L^....X.......`...U.3.g.I.j.......=ym..l.O......jX..*I...B....3.{......H......eRsN...<....lS..R..(....ff.3Y.3..J|a..R...........q..jI..r...1.,.l.J.|u.Z.\(.D.x.......<..KYN....@o..o...@a...jM.{s......|.O.Kq-....W.no.I....Q0*..i^.........O.43.x.@55(.....XG3a..e_....c12..b.x.;....e...D.......9..[Q..v.4..lq..3sq>.....Sf.2x..........V......#m.h..">..0.T...&5..`.M..^.........TbXRI.#D.....s..4..H...a....".....o...,.:,G....]8....#W.J...e.....o|.....c........Nz..|v..G4..@...5h}.b\...47..[7..i.2.A....ST...0M/3xs}...d.D..*cz..K....m.3y.e..F...m.( .D,.8.._.........z...]....Tzd..lD..-A..I..)..(....".O...
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255975
                                      Encrypted:true
                                      SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                      MD5:CEA69F993E1CE0FB945A98BF37A66546
                                      SHA1:7114365265F041DA904574D1F5876544506F89BA
                                      SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                      SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                      Malicious:false
                                      Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):56546
                                      Entropy (8bit):7.996966859255979
                                      Encrypted:true
                                      SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                      MD5:4CB8B7E557C80FC7B014133AB834A042
                                      SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                      SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                      SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                      Malicious:false
                                      Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                      MD5:8622FC7228777F64A47BD6C61478ADD9
                                      SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                      SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                      SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                      Malicious:false
                                      Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):31890
                                      Entropy (8bit):7.99402458740637
                                      Encrypted:true
                                      SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                      MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                      SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                      SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                      SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                      Malicious:false
                                      Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.99759370165655
                                      Encrypted:true
                                      SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                      MD5:950338D50B95A25F494EE74E97B7B7A9
                                      SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                      SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                      SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                      Malicious:false
                                      Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):74960
                                      Entropy (8bit):7.997593701656546
                                      Encrypted:true
                                      SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                      MD5:059BA7C31F3E227356CA5F29E4AA2508
                                      SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                      SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                      SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                      Malicious:false
                                      Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653607
                                      Encrypted:true
                                      SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                      MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                      SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                      SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                      SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                      Malicious:false
                                      Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):29730
                                      Entropy (8bit):7.994290657653608
                                      Encrypted:true
                                      SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                      MD5:A9C8A3E00692F79E1BA9693003F85D18
                                      SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                      SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                      SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                      Malicious:false
                                      Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:7-zip archive data, version 0.4
                                      Category:dropped
                                      Size (bytes):249984
                                      Entropy (8bit):7.999215745260695
                                      Encrypted:true
                                      SSDEEP:6144:vAAk5v7IVF5HKAnfHvD74J8OxH2shtRWfRloy:g7IDDnfHvDEJ3HDo3
                                      MD5:8B03F1D18D9CE4A4745FC523250F9F4F
                                      SHA1:3D6B746CAD2263712C36D0F1FFEAD37338605287
                                      SHA-256:8E8F65F8C8AAB82671C7D6AE134444158260903922635E9E24CAE3F484A6484A
                                      SHA-512:48906663A2AE73976FC9E1484CC950871D6EB3BB67D8748FE40199EEB8C2367D29B64EDE40887E8F899F40AA249333326027238B4EC380A99F431E5D93BF0410
                                      Malicious:false
                                      Preview:7z..'....... .......@........9.Br........~RFY..R.F.B..mXf.....W[....v&`D.L..hg...^6L..fE...>.....9........'.?Q......#..(^d..].Q,..ykr..... 4.r....c..f.k...:/5Y.+y_......8..u.A)[cI..qo5 *]G2E+...3.P.._.C"|.V..7R..6.M...V..E7.....cE..v5.~..>.p.M.D.a....P".bCg...R..#.....<.{.B. .z..I....f\.......`..`t...Z.....2...;.8&.^..r....h..U......x.w...>xc......E.*_=..,....,<.('"........a.iR.W E.T.a&GWI..L. q]d.b~h...4.6Zy.{.C....*...:#...C.d..>..Gy..&.u@..Rk.W...<..e.Rq..i........,s....'3..I.D.........$m..).i$0..i....kyszw.......rm........<K."..Zl^.......cC.Ztvv...W.\.2..R.i..Wl*..*h.Z=!.rjdL..!.0W.......&..N...F..*....D.4~@.G..~.g.."X.<k..,..s._..V}A.....&.C.H.4R.(...j...=...R..t...rMK..J....#....&\.+U..X..J.dJ.J..'..b`.....k. ......Rz.]..p.....b.+..-.\.L.eC'Hq.2...U.N<...C. ../\|$.+0K"...=..QR..K.xCm.~..-....[M...[Ia.O.#..Z..%.U...]...,Je@*?....W.,.\...E.f..".q..@jy......y-r.Ef5|..r.F..;D.v=..h..@.GJ.{.9B K....W...hh..Pt..~...,ct.....o........^.YMb.D.....
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:PE32+ executable (native) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):63640
                                      Entropy (8bit):6.482810107683822
                                      Encrypted:false
                                      SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                      MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                      SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                      SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                      SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 9%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):4096
                                      Entropy (8bit):3.344834847024567
                                      Encrypted:false
                                      SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                                      MD5:7F252B19B6E96247184F55570325E9FA
                                      SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                                      SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                                      SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                                      Malicious:false
                                      Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
                                      Category:dropped
                                      Size (bytes):5649408
                                      Entropy (8bit):6.392614480390128
                                      Encrypted:false
                                      SSDEEP:98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
                                      MD5:8C71B86BF407C05BAF11E8D296B9C8B8
                                      SHA1:6624AB8CA883C48F02C58250D4EEE9E90098F4E4
                                      SHA-256:BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
                                      SHA-512:BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):1.1628158735648508
                                      Encrypted:false
                                      SSDEEP:3:Nlllulvh2th:NllUE
                                      MD5:1C6FEFD3AEFA5BA7595E7FC2E4284A86
                                      SHA1:1061961FD8D9427258B32E58594747A9009930B7
                                      SHA-256:AB4853F85060BF67D37B111333E3852386DF7BF6AA0499E6CEF96B10CE5A1621
                                      SHA-512:03A091C2C65B6C22EFB336B4155E8579A540C773DB34E8F8654BC3D7044C00434020096B41BF2959245CA8722CF3913B38A653DE361A5BF0FDF218A6F07B6626
                                      Malicious:false
                                      Preview:@...e.................................~..............@..........
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530548291878271
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:9902FA6D39184B87AED7D94A037912D8
                                      SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                      SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                      SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:PE32+ executable (console) x86-64, for MS Windows
                                      Category:dropped
                                      Size (bytes):6144
                                      Entropy (8bit):4.720366600008286
                                      Encrypted:false
                                      SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                      MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                      SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                      SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                      SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3598848
                                      Entropy (8bit):7.004949099807939
                                      Encrypted:false
                                      SSDEEP:49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
                                      MD5:1D1464C73252978A58AC925ECE57F0FB
                                      SHA1:30E442BE965F96F3EB75A3ABDB61B90E5A506993
                                      SHA-256:05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
                                      SHA-512:40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 11%
                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................
                                      Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):3366912
                                      Entropy (8bit):6.530548291878271
                                      Encrypted:false
                                      SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                      MD5:9902FA6D39184B87AED7D94A037912D8
                                      SHA1:F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
                                      SHA-256:43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
                                      SHA-512:BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                                      Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                      File Type:ASCII text, with CRLF, CR line terminators
                                      Category:dropped
                                      Size (bytes):406
                                      Entropy (8bit):5.117520345541057
                                      Encrypted:false
                                      SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                      MD5:9200058492BCA8F9D88B4877F842C148
                                      SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                      SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                      SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                      Malicious:false
                                      Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.921087624135217
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 98.04%
                                      • Inno Setup installer (109748/4) 1.08%
                                      • InstallShield setup (43055/19) 0.42%
                                      • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                      File name:#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                      File size:5'707'365 bytes
                                      MD5:65296edf39a492d0d9dbe2c7b6735df7
                                      SHA1:b256b2f4f2537239b244e131c33418bbf2723b8b
                                      SHA256:07287146cb055a3a593306fcb09d498f6b2a533f68aeb43e28ebccd2fc1c1e3f
                                      SHA512:45f43460fe66722e17e9e7f301321335e9d31abbf6d8458e236b2d882171eb4baa227f4a91452128c7e0f13be2f85f3edbefa995947dedb3105da5465dee965f
                                      SSDEEP:98304:XwREH1zu2+J1cx3RRw6Fw4fHPEnkQncsAsXZV8U4dBYmEWYbAjoibWNUtmKdMwZO:lAHTcxBRhw4fHcpXL8U43PEbUomWCtmh
                                      TLSH:F7461213F2CBE13EE05E0B3B0AB2B15494FB6A506422AD1696EC74ECCF751601E3E657
                                      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                                      Icon Hash:0c0c2d33ceec80aa
                                      Entrypoint:0x4a83bc
                                      Entrypoint Section:.itext
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:1
                                      File Version Major:6
                                      File Version Minor:1
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:1
                                      Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                      Instruction
                                      push ebp
                                      mov ebp, esp
                                      add esp, FFFFFFA4h
                                      push ebx
                                      push esi
                                      push edi
                                      xor eax, eax
                                      mov dword ptr [ebp-3Ch], eax
                                      mov dword ptr [ebp-40h], eax
                                      mov dword ptr [ebp-5Ch], eax
                                      mov dword ptr [ebp-30h], eax
                                      mov dword ptr [ebp-38h], eax
                                      mov dword ptr [ebp-34h], eax
                                      mov dword ptr [ebp-2Ch], eax
                                      mov dword ptr [ebp-28h], eax
                                      mov dword ptr [ebp-14h], eax
                                      mov eax, 004A2EBCh
                                      call 00007F2791681745h
                                      xor eax, eax
                                      push ebp
                                      push 004A8AC1h
                                      push dword ptr fs:[eax]
                                      mov dword ptr fs:[eax], esp
                                      xor edx, edx
                                      push ebp
                                      push 004A8A7Bh
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      mov eax, dword ptr [004B0634h]
                                      call 00007F27917130CBh
                                      call 00007F2791712C1Eh
                                      lea edx, dword ptr [ebp-14h]
                                      xor eax, eax
                                      call 00007F279170D8F8h
                                      mov edx, dword ptr [ebp-14h]
                                      mov eax, 004B41F4h
                                      call 00007F279167B7F3h
                                      push 00000002h
                                      push 00000000h
                                      push 00000001h
                                      mov ecx, dword ptr [004B41F4h]
                                      mov dl, 01h
                                      mov eax, dword ptr [0049CD14h]
                                      call 00007F279170EC23h
                                      mov dword ptr [004B41F8h], eax
                                      xor edx, edx
                                      push ebp
                                      push 004A8A27h
                                      push dword ptr fs:[edx]
                                      mov dword ptr fs:[edx], esp
                                      call 00007F2791713153h
                                      mov dword ptr [004B4200h], eax
                                      mov eax, dword ptr [004B4200h]
                                      cmp dword ptr [eax+0Ch], 01h
                                      jne 00007F2791719E3Ah
                                      mov eax, dword ptr [004B4200h]
                                      mov edx, 00000028h
                                      call 00007F279170F518h
                                      mov edx, dword ptr [004B4200h]
                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                      .rsrc0xcb0000x110000x11000fe932d5676ad361c48f8d49d8256c9dbFalse0.18784466911764705data3.7211238544779355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                      RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                      RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                      RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                      RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                      RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                      RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                      RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                      RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                      RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                      RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                      RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                      RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                      RT_STRING0xd8e000x3f8data0.3198818897637795
                                      RT_STRING0xd91f80x2dcdata0.36475409836065575
                                      RT_STRING0xd94d40x430data0.40578358208955223
                                      RT_STRING0xd99040x44cdata0.38636363636363635
                                      RT_STRING0xd9d500x2d4data0.39226519337016574
                                      RT_STRING0xda0240xb8data0.6467391304347826
                                      RT_STRING0xda0dc0x9cdata0.6410256410256411
                                      RT_STRING0xda1780x374data0.4230769230769231
                                      RT_STRING0xda4ec0x398data0.3358695652173913
                                      RT_STRING0xda8840x368data0.3795871559633027
                                      RT_STRING0xdabec0x2a4data0.4275147928994083
                                      RT_RCDATA0xdae900x10data1.5
                                      RT_RCDATA0xdaea00x310data0.6173469387755102
                                      RT_RCDATA0xdb1b00x2cdata1.1590909090909092
                                      RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                      RT_VERSION0xdb2980x584dataEnglishUnited States0.2804532577903683
                                      RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                      DLLImport
                                      kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                      comctl32.dllInitCommonControls
                                      user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                      oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                      advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                      NameOrdinalAddress
                                      __dbk_fcall_wrapper20x40fc10
                                      dbkFCallWrapperAddr10x4b063c
                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States
                                      No network behavior found

                                      Click to jump to process

                                      Click to jump to process

                                      Click to dive into process behavior distribution

                                      Click to jump to process

                                      Target ID:0
                                      Start time:03:25:54
                                      Start date:23/12/2024
                                      Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe"
                                      Imagebase:0xc50000
                                      File size:5'707'365 bytes
                                      MD5 hash:65296EDF39A492D0D9DBE2C7B6735DF7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:true

                                      Target ID:1
                                      Start time:03:25:55
                                      Start date:23/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-8RCFB.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$2043A,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe"
                                      Imagebase:0xf50000
                                      File size:3'366'912 bytes
                                      MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      Target ID:2
                                      Start time:03:25:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:3
                                      Start time:03:25:55
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:4
                                      Start time:03:25:59
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff693ab0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false

                                      Target ID:5
                                      Start time:03:26:03
                                      Start date:23/12/2024
                                      Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT
                                      Imagebase:0xc50000
                                      File size:5'707'365 bytes
                                      MD5 hash:65296EDF39A492D0D9DBE2C7B6735DF7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Reputation:low
                                      Has exited:false

                                      Target ID:6
                                      Start time:03:26:04
                                      Start date:23/12/2024
                                      Path:C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\Temp\is-BTL2U.tmp\#U5b89#U88c5#U52a9#U624b_2.0.8.tmp" /SL5="$30270,4752973,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.8.exe" /VERYSILENT
                                      Imagebase:0xf80000
                                      File size:3'366'912 bytes
                                      MD5 hash:9902FA6D39184B87AED7D94A037912D8
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:Borland Delphi
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Reputation:moderate
                                      Has exited:true

                                      Target ID:7
                                      Start time:03:26:06
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:8
                                      Start time:03:26:06
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:9
                                      Start time:03:26:06
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:10
                                      Start time:03:26:06
                                      Start date:23/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                      Imagebase:0x290000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 0%, ReversingLabs
                                      Has exited:true

                                      Target ID:11
                                      Start time:03:26:07
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:12
                                      Start time:03:26:07
                                      Start date:23/12/2024
                                      Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                      Wow64 process (32bit):true
                                      Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                      Imagebase:0x290000
                                      File size:831'200 bytes
                                      MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:13
                                      Start time:03:26:07
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:14
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:15
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:16
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:17
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:18
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:19
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:20
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:21
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:22
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:23
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:24
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:25
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:26
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:27
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:28
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:29
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:30
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:31
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:32
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:33
                                      Start time:03:26:08
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:34
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:36
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:37
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:38
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:39
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:40
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:41
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:42
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:43
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:44
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff70f330000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:45
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:46
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:47
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:48
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:49
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:50
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:51
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:52
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:53
                                      Start time:03:26:09
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:54
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:55
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:56
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:57
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:58
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:59
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:60
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:61
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:62
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:63
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:64
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:65
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:66
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:67
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:68
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:69
                                      Start time:03:26:10
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:70
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:71
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:72
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:73
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:74
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:75
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:76
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:77
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:78
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:79
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:80
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:81
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:82
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:83
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:84
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:85
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:86
                                      Start time:03:26:11
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:87
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:88
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:89
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:90
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:91
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:92
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:93
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:94
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:95
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:96
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:97
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:98
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:99
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:100
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:101
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:102
                                      Start time:03:26:12
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:103
                                      Start time:03:26:13
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:104
                                      Start time:03:26:13
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:105
                                      Start time:03:26:13
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:106
                                      Start time:03:26:13
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\sc.exe
                                      Wow64 process (32bit):false
                                      Commandline:sc start CleverSoar
                                      Imagebase:0x7ff6f44e0000
                                      File size:72'192 bytes
                                      MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:107
                                      Start time:03:26:13
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:108
                                      Start time:03:26:13
                                      Start date:23/12/2024
                                      Path:C:\Windows\System32\cmd.exe
                                      Wow64 process (32bit):false
                                      Commandline:cmd /c start sc start CleverSoar
                                      Imagebase:0x7ff7fdeb0000
                                      File size:289'792 bytes
                                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:2.4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:15.5%
                                        Total number of Nodes:793
                                        Total number of Limit Nodes:13
                                        execution_graph 65955 6c17cad3 65956 6c17cafd 65955->65956 65957 6c17cae5 __dosmaperr 65955->65957 65956->65957 65959 6c17cb48 __dosmaperr 65956->65959 65960 6c17cb77 65956->65960 66002 6c170120 18 API calls __wsopen_s 65959->66002 65961 6c17cb90 65960->65961 65962 6c17cbab __dosmaperr 65960->65962 65965 6c17cbe7 __wsopen_s 65960->65965 65961->65962 65964 6c17cb95 65961->65964 65995 6c170120 18 API calls __wsopen_s 65962->65995 65990 6c1819e5 65964->65990 65996 6c1747bb HeapFree GetLastError _free 65965->65996 65966 6c17cd3e 65969 6c17cdb4 65966->65969 65972 6c17cd57 GetConsoleMode 65966->65972 65971 6c17cdb8 ReadFile 65969->65971 65970 6c17cc07 65997 6c1747bb HeapFree GetLastError _free 65970->65997 65975 6c17cdd2 65971->65975 65976 6c17ce2c GetLastError 65971->65976 65972->65969 65977 6c17cd68 65972->65977 65974 6c17cc0e 65988 6c17cbc2 __dosmaperr __wsopen_s 65974->65988 65998 6c17ac69 20 API calls __wsopen_s 65974->65998 65975->65976 65978 6c17cda9 65975->65978 65976->65988 65977->65971 65979 6c17cd6e ReadConsoleW 65977->65979 65983 6c17cdf7 65978->65983 65984 6c17ce0e 65978->65984 65978->65988 65979->65978 65982 6c17cd8a GetLastError 65979->65982 65982->65988 66000 6c17cefe 23 API calls 3 library calls 65983->66000 65986 6c17ce25 65984->65986 65984->65988 66001 6c17d1b6 21 API calls __wsopen_s 65986->66001 65999 6c1747bb HeapFree GetLastError _free 65988->65999 65989 6c17ce2a 65989->65988 65991 6c1819f2 65990->65991 65993 6c1819ff 65990->65993 65991->65966 65992 6c181a0b 65992->65966 65993->65992 66003 6c170120 18 API calls __wsopen_s 65993->66003 65995->65988 65996->65970 65997->65974 65998->65964 65999->65957 66000->65988 66001->65989 66002->65957 66003->65991 66004 6bff4a27 66008 6bff4a5d _strlen 66004->66008 66005 6c00639e 66136 6c170130 18 API calls 2 library calls 66005->66136 66006 6bff5b6f 66011 6c166a43 std::_Facet_Register 4 API calls 66006->66011 66007 6bff5b58 66122 6c166a43 66007->66122 66008->66005 66008->66006 66008->66007 66012 6bff5b09 _Yarn 66008->66012 66011->66012 66095 6c15aec0 66012->66095 66015 6bff5bad std::ios_base::_Ios_base_dtor 66015->66005 66018 6bff9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66015->66018 66101 6c164ff0 CreateProcessA 66015->66101 66016 6c166a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66016->66018 66017 6c15aec0 2 API calls 66017->66018 66018->66005 66018->66016 66018->66017 66019 6bffa292 Sleep 66018->66019 66028 6bffe619 66018->66028 66026 6bff9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66019->66026 66020 6bff61cb _strlen 66020->66005 66021 6bff660d 66020->66021 66022 6bff6624 66020->66022 66031 6bff65bc _Yarn _strlen 66020->66031 66023 6c166a43 std::_Facet_Register 4 API calls 66021->66023 66024 6c166a43 std::_Facet_Register 4 API calls 66022->66024 66023->66031 66024->66031 66025 6c0063b2 66137 6bfe15e0 18 API calls std::ios_base::_Ios_base_dtor 66025->66137 66026->66005 66026->66018 66026->66025 66027 6bff9bbd GetCurrentProcess TerminateProcess 66026->66027 66059 6c165960 104 API calls 66026->66059 66084 6c166a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66026->66084 66094 6c164ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66026->66094 66027->66018 66038 6bfff243 CreateFileA 66028->66038 66030 6c0064f8 66031->66025 66032 6bff6920 _Yarn 66031->66032 66033 6bff6989 66031->66033 66034 6bff6970 66031->66034 66105 6c165960 66032->66105 66036 6c166a43 std::_Facet_Register 4 API calls 66033->66036 66035 6c166a43 std::_Facet_Register 4 API calls 66034->66035 66035->66032 66036->66032 66053 6bfff2a7 66038->66053 66039 6bff69d6 std::ios_base::_Ios_base_dtor _strlen 66039->66005 66040 6bff6dbb 66039->66040 66041 6bff6dd2 66039->66041 66052 6bff6d69 _Yarn _strlen 66039->66052 66042 6c166a43 std::_Facet_Register 4 API calls 66040->66042 66043 6c166a43 std::_Facet_Register 4 API calls 66041->66043 66042->66052 66043->66052 66044 6c0002ca 66045 6bff7427 66047 6c166a43 std::_Facet_Register 4 API calls 66045->66047 66046 6bff7440 66048 6c166a43 std::_Facet_Register 4 API calls 66046->66048 66049 6bff73da _Yarn 66047->66049 66048->66049 66051 6c165960 104 API calls 66049->66051 66050 6c0002ac GetCurrentProcess TerminateProcess 66050->66044 66054 6bff748d std::ios_base::_Ios_base_dtor _strlen 66051->66054 66052->66025 66052->66045 66052->66046 66052->66049 66053->66044 66053->66050 66054->66005 66055 6bff79a8 66054->66055 66056 6bff7991 66054->66056 66060 6bff7940 _Yarn _strlen 66054->66060 66058 6c166a43 std::_Facet_Register 4 API calls 66055->66058 66057 6c166a43 std::_Facet_Register 4 API calls 66056->66057 66057->66060 66058->66060 66059->66026 66060->66025 66061 6bff7dc9 66060->66061 66062 6bff7de2 66060->66062 66065 6bff7d7c _Yarn 66060->66065 66063 6c166a43 std::_Facet_Register 4 API calls 66061->66063 66064 6c166a43 std::_Facet_Register 4 API calls 66062->66064 66063->66065 66064->66065 66066 6c165960 104 API calls 66065->66066 66067 6bff7e2f std::ios_base::_Ios_base_dtor _strlen 66066->66067 66067->66005 66068 6bff85bf 66067->66068 66069 6bff85a8 66067->66069 66076 6bff8556 _Yarn _strlen 66067->66076 66071 6c166a43 std::_Facet_Register 4 API calls 66068->66071 66070 6c166a43 std::_Facet_Register 4 API calls 66069->66070 66070->66076 66071->66076 66072 6bff896a 66074 6c166a43 std::_Facet_Register 4 API calls 66072->66074 66073 6bff8983 66075 6c166a43 std::_Facet_Register 4 API calls 66073->66075 66077 6bff891d _Yarn 66074->66077 66075->66077 66076->66025 66076->66072 66076->66073 66076->66077 66078 6c165960 104 API calls 66077->66078 66081 6bff89d0 std::ios_base::_Ios_base_dtor _strlen 66078->66081 66079 6bff8f1f 66082 6c166a43 std::_Facet_Register 4 API calls 66079->66082 66080 6bff8f36 66083 6c166a43 std::_Facet_Register 4 API calls 66080->66083 66081->66005 66081->66079 66081->66080 66085 6bff8ecd _Yarn _strlen 66081->66085 66082->66085 66083->66085 66084->66026 66085->66025 66086 6bff936d 66085->66086 66087 6bff9354 66085->66087 66090 6bff9307 _Yarn 66085->66090 66089 6c166a43 std::_Facet_Register 4 API calls 66086->66089 66088 6c166a43 std::_Facet_Register 4 API calls 66087->66088 66088->66090 66089->66090 66091 6c165960 104 API calls 66090->66091 66093 6bff93ba std::ios_base::_Ios_base_dtor 66091->66093 66092 6c164ff0 4 API calls 66092->66018 66093->66005 66093->66092 66094->66026 66096 6c15aed4 66095->66096 66097 6c15aed6 FindFirstFileA 66095->66097 66096->66097 66098 6c15af10 66097->66098 66099 6c15af14 FindClose 66098->66099 66100 6c15af72 66098->66100 66099->66098 66100->66015 66102 6c1650ca 66101->66102 66103 6c165080 WaitForSingleObject CloseHandle CloseHandle 66102->66103 66104 6c1650e3 66102->66104 66103->66102 66104->66020 66106 6c1659b7 66105->66106 66138 6c165ff0 66106->66138 66108 6c1659c8 66157 6c006ba0 66108->66157 66111 6c165a9f std::ios_base::_Ios_base_dtor 66114 6c02e010 67 API calls 66111->66114 66113 6c1659ec 66115 6c165a54 66113->66115 66121 6c165a67 66113->66121 66176 6c166340 66113->66176 66184 6c042000 66113->66184 66116 6c165ae2 std::ios_base::_Ios_base_dtor 66114->66116 66194 6c165b90 66115->66194 66116->66039 66119 6c165a5c 66215 6c007090 66119->66215 66209 6c02e010 66121->66209 66124 6c166a48 66122->66124 66123 6c166a62 66123->66012 66124->66123 66126 6c166a64 std::_Facet_Register 66124->66126 66668 6c16f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66124->66668 66127 6c1678c3 std::_Facet_Register 66126->66127 66669 6c169379 RaiseException 66126->66669 66672 6c169379 RaiseException 66127->66672 66129 6c1680bc IsProcessorFeaturePresent 66135 6c1680e1 66129->66135 66131 6c167883 66670 6c169379 RaiseException 66131->66670 66133 6c1678a3 std::invalid_argument::invalid_argument 66671 6c169379 RaiseException 66133->66671 66135->66012 66137->66030 66139 6c166025 66138->66139 66228 6c032020 66139->66228 66141 6c1660c6 66142 6c166a43 std::_Facet_Register 4 API calls 66141->66142 66143 6c1660fe 66142->66143 66245 6c167327 66143->66245 66145 6c166112 66257 6c031d90 66145->66257 66148 6c1661ec 66148->66108 66150 6c166226 66265 6c0326e0 24 API calls 4 library calls 66150->66265 66152 6c166238 66266 6c169379 RaiseException 66152->66266 66154 6c16624d 66155 6c02e010 67 API calls 66154->66155 66156 6c16625f 66155->66156 66156->66108 66158 6c006bd5 66157->66158 66159 6c032020 52 API calls 66158->66159 66160 6c006c68 66159->66160 66161 6c166a43 std::_Facet_Register 4 API calls 66160->66161 66162 6c006ca0 66161->66162 66163 6c167327 43 API calls 66162->66163 66164 6c006cb4 66163->66164 66165 6c031d90 89 API calls 66164->66165 66166 6c006d5d 66165->66166 66167 6c006d8e 66166->66167 66576 6c032250 30 API calls 66166->66576 66167->66113 66169 6c006dc8 66577 6c0326e0 24 API calls 4 library calls 66169->66577 66171 6c006dda 66578 6c169379 RaiseException 66171->66578 66173 6c006def 66174 6c02e010 67 API calls 66173->66174 66175 6c006e0f 66174->66175 66175->66113 66177 6c16638d 66176->66177 66579 6c1665a0 66177->66579 66179 6c16647c 66179->66113 66183 6c1663a5 66183->66179 66597 6c032250 30 API calls 66183->66597 66598 6c0326e0 24 API calls 4 library calls 66183->66598 66599 6c169379 RaiseException 66183->66599 66185 6c04203f 66184->66185 66189 6c042053 66185->66189 66608 6c033560 32 API calls std::_Xinvalid_argument 66185->66608 66187 6c04210e 66191 6c042121 66187->66191 66609 6c0337e0 32 API calls std::_Xinvalid_argument 66187->66609 66189->66187 66610 6c032250 30 API calls 66189->66610 66611 6c0326e0 24 API calls 4 library calls 66189->66611 66612 6c169379 RaiseException 66189->66612 66191->66113 66195 6c165b9e 66194->66195 66199 6c165bd1 66194->66199 66613 6c0301f0 66195->66613 66197 6c165c83 66197->66119 66199->66197 66617 6c032250 30 API calls 66199->66617 66200 6c170b18 67 API calls 66200->66199 66202 6c165cae 66618 6c032340 24 API calls 66202->66618 66204 6c165cbe 66619 6c169379 RaiseException 66204->66619 66206 6c165cc9 66207 6c02e010 67 API calls 66206->66207 66208 6c165d22 std::ios_base::_Ios_base_dtor 66207->66208 66208->66119 66210 6c02e04b 66209->66210 66211 6c02e0a3 66210->66211 66212 6c0301f0 64 API calls 66210->66212 66211->66111 66213 6c02e098 66212->66213 66214 6c170b18 67 API calls 66213->66214 66214->66211 66216 6c00709e 66215->66216 66219 6c0070d1 66215->66219 66218 6c0301f0 64 API calls 66216->66218 66217 6c007183 66217->66121 66220 6c0070c4 66218->66220 66219->66217 66665 6c032250 30 API calls 66219->66665 66222 6c170b18 67 API calls 66220->66222 66222->66219 66223 6c0071ae 66666 6c032340 24 API calls 66223->66666 66225 6c0071be 66667 6c169379 RaiseException 66225->66667 66227 6c0071c9 66229 6c166a43 std::_Facet_Register 4 API calls 66228->66229 66230 6c03207e 66229->66230 66231 6c167327 43 API calls 66230->66231 66232 6c032092 66231->66232 66267 6c032f60 42 API calls 4 library calls 66232->66267 66234 6c0320c8 66235 6c03210d 66234->66235 66236 6c032136 66234->66236 66237 6c032120 66235->66237 66268 6c166f8e 9 API calls 2 library calls 66235->66268 66269 6c032250 30 API calls 66236->66269 66237->66141 66240 6c03215b 66270 6c032340 24 API calls 66240->66270 66242 6c032171 66271 6c169379 RaiseException 66242->66271 66244 6c03217c 66244->66141 66246 6c167333 __EH_prolog3 66245->66246 66272 6c166eb5 66246->66272 66251 6c167351 66286 6c1673ba 39 API calls std::locale::_Setgloballocale 66251->66286 66252 6c1673ac 66252->66145 66254 6c167359 66287 6c1671b1 HeapFree GetLastError _Yarn 66254->66287 66256 6c16736f 66278 6c166ee6 66256->66278 66258 6c031dc7 66257->66258 66259 6c031ddc 66257->66259 66258->66148 66264 6c032250 30 API calls 66258->66264 66292 6c167447 66259->66292 66263 6c031e82 66264->66150 66265->66152 66266->66154 66267->66234 66268->66237 66269->66240 66270->66242 66271->66244 66273 6c166ec4 66272->66273 66274 6c166ecb 66272->66274 66288 6c1703cd 6 API calls std::_Lockit::_Lockit 66273->66288 66277 6c166ec9 66274->66277 66289 6c16858b EnterCriticalSection 66274->66289 66277->66256 66285 6c167230 6 API calls 2 library calls 66277->66285 66279 6c166ef0 66278->66279 66280 6c1703db 66278->66280 66281 6c166f03 66279->66281 66290 6c168599 LeaveCriticalSection 66279->66290 66291 6c1703b6 LeaveCriticalSection 66280->66291 66281->66252 66284 6c1703e2 66284->66252 66285->66251 66286->66254 66287->66256 66288->66277 66289->66277 66290->66281 66291->66284 66293 6c167450 66292->66293 66295 6c031dea 66293->66295 66301 6c16fd4a 66293->66301 66295->66258 66300 6c16c563 18 API calls __wsopen_s 66295->66300 66296 6c16749c 66296->66295 66312 6c16fa58 65 API calls 66296->66312 66298 6c1674b7 66298->66295 66313 6c170b18 66298->66313 66300->66263 66302 6c16fd55 __wsopen_s 66301->66302 66303 6c16fd68 66302->66303 66304 6c16fd88 66302->66304 66338 6c170120 18 API calls __wsopen_s 66303->66338 66308 6c16fd78 66304->66308 66324 6c17ae0c 66304->66324 66308->66296 66312->66298 66314 6c170b24 __wsopen_s 66313->66314 66315 6c170b43 66314->66315 66316 6c170b2e 66314->66316 66320 6c170b3e 66315->66320 66447 6c16c5a9 EnterCriticalSection 66315->66447 66462 6c170120 18 API calls __wsopen_s 66316->66462 66318 6c170b60 66448 6c170b9c 66318->66448 66320->66295 66322 6c170b6b 66463 6c170b92 LeaveCriticalSection 66322->66463 66325 6c17ae18 __wsopen_s 66324->66325 66340 6c17039f EnterCriticalSection 66325->66340 66327 6c17ae26 66341 6c17aeb0 66327->66341 66332 6c17af72 66333 6c17b091 66332->66333 66365 6c17b114 66333->66365 66336 6c16fdcc 66339 6c16fdf5 LeaveCriticalSection 66336->66339 66338->66308 66339->66308 66340->66327 66342 6c17aed3 66341->66342 66343 6c17af2b 66342->66343 66350 6c17ae33 66342->66350 66358 6c16c5a9 EnterCriticalSection 66342->66358 66359 6c16c5bd LeaveCriticalSection 66342->66359 66360 6c1771e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66343->66360 66346 6c17af34 66361 6c1747bb HeapFree GetLastError _free 66346->66361 66348 6c17af3d 66348->66350 66362 6c176c1f 6 API calls std::_Lockit::_Lockit 66348->66362 66355 6c17ae6c 66350->66355 66351 6c17af5c 66363 6c16c5a9 EnterCriticalSection 66351->66363 66354 6c17af6f 66354->66350 66364 6c1703b6 LeaveCriticalSection 66355->66364 66357 6c16fda3 66357->66308 66357->66332 66358->66342 66359->66342 66360->66346 66361->66348 66362->66351 66363->66354 66364->66357 66366 6c17b133 66365->66366 66367 6c17b146 66366->66367 66371 6c17b15b 66366->66371 66381 6c170120 18 API calls __wsopen_s 66367->66381 66369 6c17b0a7 66369->66336 66378 6c183fde 66369->66378 66376 6c17b27b 66371->66376 66382 6c183ea8 37 API calls __wsopen_s 66371->66382 66373 6c17b2cb 66373->66376 66383 6c183ea8 37 API calls __wsopen_s 66373->66383 66375 6c17b2e9 66375->66376 66384 6c183ea8 37 API calls __wsopen_s 66375->66384 66376->66369 66385 6c170120 18 API calls __wsopen_s 66376->66385 66386 6c184396 66378->66386 66381->66369 66382->66373 66383->66375 66384->66376 66385->66369 66388 6c1843a2 __wsopen_s 66386->66388 66387 6c1843a9 66404 6c170120 18 API calls __wsopen_s 66387->66404 66388->66387 66389 6c1843d4 66388->66389 66395 6c183ffe 66389->66395 66394 6c183ff9 66394->66336 66406 6c1706cb 66395->66406 66400 6c184034 66402 6c184066 66400->66402 66446 6c1747bb HeapFree GetLastError _free 66400->66446 66405 6c18442b LeaveCriticalSection __wsopen_s 66402->66405 66404->66394 66405->66394 66407 6c16bceb __fassign 37 API calls 66406->66407 66408 6c1706dd 66407->66408 66409 6c1706ef 66408->66409 66410 6c1769d5 __wsopen_s 5 API calls 66408->66410 66411 6c16bdf6 66409->66411 66410->66409 66412 6c16be4e __wsopen_s GetLastError HeapFree GetLastError MultiByteToWideChar 66411->66412 66413 6c16be0e 66412->66413 66413->66400 66414 6c18406c 66413->66414 66415 6c1844ec __wsopen_s 18 API calls 66414->66415 66416 6c184089 66415->66416 66417 6c18160c __wsopen_s 14 API calls 66416->66417 66419 6c18409e __dosmaperr 66416->66419 66418 6c1840bc 66417->66418 66418->66419 66420 6c184457 __wsopen_s CreateFileW 66418->66420 66419->66400 66426 6c184115 66420->66426 66421 6c184192 GetFileType 66422 6c18419d GetLastError 66421->66422 66423 6c1841e4 66421->66423 66425 6c16f9f2 __dosmaperr 66422->66425 66429 6c1817b0 __wsopen_s SetStdHandle 66423->66429 66424 6c184167 GetLastError 66424->66419 66427 6c1841ab CloseHandle 66425->66427 66426->66421 66426->66424 66428 6c184457 __wsopen_s CreateFileW 66426->66428 66427->66419 66443 6c1841d4 66427->66443 66430 6c18415a 66428->66430 66431 6c184205 66429->66431 66430->66421 66430->66424 66432 6c184251 66431->66432 66433 6c184666 __wsopen_s 70 API calls 66431->66433 66434 6c184710 __wsopen_s 70 API calls 66432->66434 66436 6c184258 66432->66436 66433->66432 66435 6c184286 66434->66435 66435->66436 66438 6c184294 66435->66438 66437 6c17b925 __wsopen_s 21 API calls 66436->66437 66437->66419 66438->66419 66439 6c184310 CloseHandle 66438->66439 66440 6c184457 __wsopen_s CreateFileW 66439->66440 66441 6c18433b 66440->66441 66442 6c184345 GetLastError 66441->66442 66441->66443 66444 6c184351 __dosmaperr 66442->66444 66443->66419 66445 6c18171f __wsopen_s SetStdHandle 66444->66445 66445->66443 66446->66402 66447->66318 66449 6c170bbe 66448->66449 66450 6c170ba9 66448->66450 66453 6c170bb9 66449->66453 66464 6c170cb9 66449->66464 66486 6c170120 18 API calls __wsopen_s 66450->66486 66453->66322 66458 6c170be1 66479 6c17b898 66458->66479 66460 6c170be7 66460->66453 66487 6c1747bb HeapFree GetLastError _free 66460->66487 66462->66320 66463->66320 66465 6c170cd1 66464->66465 66466 6c170bd3 66464->66466 66465->66466 66467 6c179c60 18 API calls 66465->66467 66470 6c17873e 66466->66470 66468 6c170cef 66467->66468 66488 6c17bb6c 66468->66488 66471 6c178755 66470->66471 66472 6c170bdb 66470->66472 66471->66472 66544 6c1747bb HeapFree GetLastError _free 66471->66544 66474 6c179c60 66472->66474 66475 6c179c81 66474->66475 66476 6c179c6c 66474->66476 66475->66458 66545 6c170120 18 API calls __wsopen_s 66476->66545 66478 6c179c7c 66478->66458 66480 6c17b8be 66479->66480 66484 6c17b8a9 __dosmaperr 66479->66484 66481 6c17b8e5 66480->66481 66482 6c17b907 __dosmaperr 66480->66482 66546 6c17b9c1 66481->66546 66554 6c170120 18 API calls __wsopen_s 66482->66554 66484->66460 66486->66453 66487->66453 66489 6c17bb78 __wsopen_s 66488->66489 66490 6c17bbca 66489->66490 66491 6c17bc33 __dosmaperr 66489->66491 66495 6c17bb80 __dosmaperr 66489->66495 66499 6c181990 EnterCriticalSection 66490->66499 66529 6c170120 18 API calls __wsopen_s 66491->66529 66493 6c17bbd0 66497 6c17bbec __dosmaperr 66493->66497 66500 6c17bc5e 66493->66500 66495->66466 66528 6c17bc2b LeaveCriticalSection __wsopen_s 66497->66528 66499->66493 66501 6c17bc80 66500->66501 66527 6c17bc9c __dosmaperr 66500->66527 66502 6c17bcd4 66501->66502 66504 6c17bc84 __dosmaperr 66501->66504 66503 6c17bce7 66502->66503 66538 6c17ac69 20 API calls __wsopen_s 66502->66538 66530 6c17be40 66503->66530 66537 6c170120 18 API calls __wsopen_s 66504->66537 66509 6c17bcfd 66513 6c17bd26 66509->66513 66514 6c17bd01 66509->66514 66510 6c17bd3c 66511 6c17bd95 WriteFile 66510->66511 66512 6c17bd50 66510->66512 66515 6c17bdb9 GetLastError 66511->66515 66511->66527 66517 6c17bd85 66512->66517 66518 6c17bd5b 66512->66518 66540 6c17beb1 43 API calls 5 library calls 66513->66540 66514->66527 66539 6c17c25b 6 API calls __wsopen_s 66514->66539 66515->66527 66543 6c17c2c3 7 API calls 2 library calls 66517->66543 66519 6c17bd75 66518->66519 66520 6c17bd60 66518->66520 66542 6c17c487 8 API calls 3 library calls 66519->66542 66523 6c17bd65 66520->66523 66520->66527 66541 6c17c39e 7 API calls 2 library calls 66523->66541 66525 6c17bd73 66525->66527 66527->66497 66528->66495 66529->66495 66531 6c1819e5 __wsopen_s 18 API calls 66530->66531 66532 6c17be51 66531->66532 66533 6c17bcf8 66532->66533 66534 6c1749b2 __Getctype 37 API calls 66532->66534 66533->66509 66533->66510 66535 6c17be74 66534->66535 66535->66533 66536 6c17be8e GetConsoleMode 66535->66536 66536->66533 66537->66527 66538->66503 66539->66527 66540->66527 66541->66525 66542->66525 66543->66525 66544->66472 66545->66478 66547 6c17b9cd __wsopen_s 66546->66547 66555 6c181990 EnterCriticalSection 66547->66555 66549 6c17b9db 66551 6c17ba08 66549->66551 66556 6c17b925 66549->66556 66569 6c17ba41 LeaveCriticalSection __wsopen_s 66551->66569 66553 6c17ba2a 66553->66484 66554->66484 66555->66549 66570 6c1815a2 66556->66570 66558 6c17b935 66559 6c17b93b 66558->66559 66561 6c17b96d 66558->66561 66562 6c1815a2 __wsopen_s 18 API calls 66558->66562 66575 6c18171f SetStdHandle __dosmaperr __wsopen_s 66559->66575 66561->66559 66563 6c1815a2 __wsopen_s 18 API calls 66561->66563 66564 6c17b964 66562->66564 66565 6c17b979 CloseHandle 66563->66565 66566 6c1815a2 __wsopen_s 18 API calls 66564->66566 66565->66559 66567 6c17b985 GetLastError 66565->66567 66566->66561 66567->66559 66568 6c17b993 __dosmaperr 66568->66551 66569->66553 66571 6c1815af __dosmaperr 66570->66571 66573 6c1815c4 __dosmaperr 66570->66573 66571->66558 66572 6c1815e9 66572->66558 66573->66572 66574 6c170120 __wsopen_s 18 API calls 66573->66574 66574->66571 66575->66568 66576->66169 66577->66171 66578->66173 66580 6c1665dc 66579->66580 66581 6c166608 66579->66581 66595 6c166601 66580->66595 66602 6c032250 30 API calls 66580->66602 66586 6c166619 66581->66586 66600 6c033560 32 API calls std::_Xinvalid_argument 66581->66600 66584 6c1667e8 66603 6c032340 24 API calls 66584->66603 66586->66595 66601 6c032f60 42 API calls 4 library calls 66586->66601 66587 6c1667f7 66604 6c169379 RaiseException 66587->66604 66591 6c166827 66606 6c032340 24 API calls 66591->66606 66593 6c16683d 66607 6c169379 RaiseException 66593->66607 66595->66183 66596 6c166653 66596->66595 66605 6c032250 30 API calls 66596->66605 66597->66183 66598->66183 66599->66183 66600->66586 66601->66596 66602->66584 66603->66587 66604->66596 66605->66591 66606->66593 66607->66595 66608->66189 66609->66191 66610->66189 66611->66189 66612->66189 66614 6c03022e 66613->66614 66615 6c0304d6 66614->66615 66620 6c1717db 66614->66620 66615->66200 66617->66202 66618->66204 66619->66206 66621 6c171806 66620->66621 66622 6c1717e9 66620->66622 66621->66614 66622->66621 66623 6c17180a 66622->66623 66624 6c1717f6 66622->66624 66628 6c171a02 66623->66628 66636 6c170120 18 API calls __wsopen_s 66624->66636 66629 6c171a0e __wsopen_s 66628->66629 66637 6c16c5a9 EnterCriticalSection 66629->66637 66631 6c171a1c 66638 6c1719bf 66631->66638 66635 6c17183c 66635->66614 66636->66621 66637->66631 66646 6c1785a6 66638->66646 66644 6c1719f9 66645 6c171a51 LeaveCriticalSection 66644->66645 66645->66635 66647 6c179c60 18 API calls 66646->66647 66648 6c1785b7 66647->66648 66649 6c1819e5 __wsopen_s 18 API calls 66648->66649 66651 6c1785bd __wsopen_s 66649->66651 66650 6c1719d3 66653 6c17183e 66650->66653 66651->66650 66663 6c1747bb HeapFree GetLastError _free 66651->66663 66655 6c171850 66653->66655 66657 6c17186e 66653->66657 66654 6c17185e 66664 6c170120 18 API calls __wsopen_s 66654->66664 66655->66654 66655->66657 66660 6c171886 _Yarn 66655->66660 66662 6c178659 62 API calls 66657->66662 66658 6c170cb9 62 API calls 66658->66660 66659 6c179c60 18 API calls 66659->66660 66660->66657 66660->66658 66660->66659 66661 6c17bb6c __wsopen_s 62 API calls 66660->66661 66661->66660 66662->66644 66663->66650 66664->66657 66665->66223 66666->66225 66667->66227 66668->66124 66669->66131 66670->66133 66671->66127 66672->66129 66673 6c16ef3f 66674 6c16ef4b __wsopen_s 66673->66674 66675 6c16ef52 GetLastError ExitThread 66674->66675 66676 6c16ef5f 66674->66676 66685 6c1749b2 GetLastError 66676->66685 66681 6c16ef7b 66719 6c16eeaa 16 API calls 2 library calls 66681->66719 66684 6c16ef9d 66686 6c1749cf 66685->66686 66687 6c1749c9 66685->66687 66691 6c1749d5 SetLastError 66686->66691 66721 6c176b62 6 API calls std::_Lockit::_Lockit 66686->66721 66720 6c176b23 6 API calls std::_Lockit::_Lockit 66687->66720 66690 6c1749ed 66690->66691 66692 6c1749f1 66690->66692 66698 6c16ef64 66691->66698 66699 6c174a69 66691->66699 66722 6c1771e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66692->66722 66695 6c1749fd 66696 6c174a05 66695->66696 66697 6c174a1c 66695->66697 66723 6c176b62 6 API calls std::_Lockit::_Lockit 66696->66723 66725 6c176b62 6 API calls std::_Lockit::_Lockit 66697->66725 66713 6c179d66 66698->66713 66728 6c170ac9 37 API calls std::locale::_Setgloballocale 66699->66728 66704 6c174a28 66706 6c174a3d 66704->66706 66707 6c174a2c 66704->66707 66705 6c174a13 66724 6c1747bb HeapFree GetLastError _free 66705->66724 66727 6c1747bb HeapFree GetLastError _free 66706->66727 66726 6c176b62 6 API calls std::_Lockit::_Lockit 66707->66726 66710 6c174a19 66710->66691 66712 6c174a4f 66712->66691 66714 6c16ef6f 66713->66714 66715 6c179d78 GetPEB 66713->66715 66714->66681 66718 6c176d6f 5 API calls std::_Lockit::_Lockit 66714->66718 66715->66714 66716 6c179d8b 66715->66716 66729 6c176e18 5 API calls std::_Lockit::_Lockit 66716->66729 66718->66681 66719->66684 66720->66686 66721->66690 66722->66695 66723->66705 66724->66710 66725->66704 66726->66705 66727->66712 66729->66714 66730 6bfe3d62 66732 6bfe3bc0 66730->66732 66731 6bfe3e8a GetCurrentThread NtSetInformationThread 66733 6bfe3eea 66731->66733 66732->66731 66734 6bfff8a3 66735 6bfff887 66734->66735 66736 6c0002ac GetCurrentProcess TerminateProcess 66735->66736 66737 6c0002ca 66736->66737 66738 6bff3b72 66739 6c166a43 std::_Facet_Register 4 API calls 66738->66739 66747 6bff37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66739->66747 66740 6c15aec0 2 API calls 66740->66747 66741 6c00639e 66761 6c170130 18 API calls 2 library calls 66741->66761 66743 6c006ba0 104 API calls 66743->66747 66745 6c007090 77 API calls 66745->66747 66746 6c02e010 67 API calls 66746->66747 66747->66740 66747->66741 66747->66743 66747->66745 66747->66746 66751 6c006e60 66747->66751 66752 6c006e9f 66751->66752 66755 6c006eb3 66752->66755 66762 6c033560 32 API calls std::_Xinvalid_argument 66752->66762 66757 6c006f5b 66755->66757 66764 6c032250 30 API calls 66755->66764 66765 6c0326e0 24 API calls 4 library calls 66755->66765 66766 6c169379 RaiseException 66755->66766 66758 6c006f6e 66757->66758 66763 6c0337e0 32 API calls std::_Xinvalid_argument 66757->66763 66758->66747 66762->66755 66763->66758 66764->66755 66765->66755 66766->66755 66767 6bfe4b53 66768 6c166a43 std::_Facet_Register 4 API calls 66767->66768 66769 6bfe4b5c _Yarn 66768->66769 66770 6c15aec0 2 API calls 66769->66770 66775 6bfe4bae std::ios_base::_Ios_base_dtor 66770->66775 66771 6c00639e 66948 6c170130 18 API calls 2 library calls 66771->66948 66773 6bfe4cff 66774 6bfe5164 CreateFileA CloseHandle 66779 6bfe51ec 66774->66779 66775->66771 66775->66773 66775->66774 66776 6bff245a _Yarn _strlen 66775->66776 66776->66771 66778 6c15aec0 2 API calls 66776->66778 66794 6bff2a83 std::ios_base::_Ios_base_dtor 66778->66794 66925 6c165120 OpenSCManagerA 66779->66925 66781 6bfefc00 66941 6c165240 CreateToolhelp32Snapshot 66781->66941 66783 6c166a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66820 6bfe5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66783->66820 66786 6bff37d0 Sleep 66831 6bff37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66786->66831 66787 6c15aec0 2 API calls 66787->66820 66788 6c0063b2 66949 6bfe15e0 18 API calls std::ios_base::_Ios_base_dtor 66788->66949 66789 6c165240 4 API calls 66807 6bff053a 66789->66807 66790 6c165240 4 API calls 66812 6bff12e2 66790->66812 66792 6bfeffe3 66792->66789 66799 6bff0abc 66792->66799 66793 6c0064f8 66794->66771 66929 6c150390 66794->66929 66795 6c006ba0 104 API calls 66795->66820 66796 6c006e60 32 API calls 66796->66820 66798 6c165240 4 API calls 66798->66799 66799->66776 66799->66790 66800 6c007090 77 API calls 66800->66820 66801 6c165240 4 API calls 66821 6bff1dd9 66801->66821 66802 6bff211c 66802->66776 66803 6bff241a 66802->66803 66806 6c150390 11 API calls 66803->66806 66804 6c15aec0 2 API calls 66804->66831 66805 6c02e010 67 API calls 66805->66820 66809 6bff244d 66806->66809 66807->66798 66807->66799 66808 6bfe6722 66938 6c161880 25 API calls 4 library calls 66808->66938 66947 6c165d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66809->66947 66811 6bff2452 Sleep 66811->66776 66812->66801 66812->66802 66813 6bff16ac 66812->66813 66814 6bfe6162 66815 6bfe740b 66816 6c164ff0 4 API calls 66815->66816 66824 6bfe775a _strlen 66816->66824 66817 6c165240 4 API calls 66817->66802 66818 6c006ba0 104 API calls 66818->66831 66819 6c006e60 32 API calls 66819->66831 66820->66771 66820->66781 66820->66783 66820->66787 66820->66795 66820->66796 66820->66800 66820->66805 66820->66808 66820->66814 66821->66802 66821->66817 66822 6c007090 77 API calls 66822->66831 66823 6c02e010 67 API calls 66823->66831 66824->66771 66825 6bfe7ba9 66824->66825 66826 6bfe7b92 66824->66826 66829 6bfe7b43 _Yarn 66824->66829 66828 6c166a43 std::_Facet_Register 4 API calls 66825->66828 66827 6c166a43 std::_Facet_Register 4 API calls 66826->66827 66827->66829 66828->66829 66830 6c15aec0 2 API calls 66829->66830 66840 6bfe7be7 std::ios_base::_Ios_base_dtor 66830->66840 66831->66771 66831->66804 66831->66818 66831->66819 66831->66822 66831->66823 66832 6c164ff0 4 API calls 66843 6bfe8a07 66832->66843 66833 6bfe9d7f 66837 6c166a43 std::_Facet_Register 4 API calls 66833->66837 66834 6bfe9d68 66836 6c166a43 std::_Facet_Register 4 API calls 66834->66836 66835 6bfe962c _strlen 66835->66771 66835->66833 66835->66834 66838 6bfe9d18 _Yarn 66835->66838 66836->66838 66837->66838 66839 6c15aec0 2 API calls 66838->66839 66846 6bfe9dbd std::ios_base::_Ios_base_dtor 66839->66846 66840->66771 66840->66832 66840->66835 66841 6bfe8387 66840->66841 66842 6c164ff0 4 API calls 66851 6bfe9120 66842->66851 66843->66842 66844 6c164ff0 4 API calls 66861 6bfea215 _strlen 66844->66861 66845 6c164ff0 4 API calls 66847 6bfe9624 66845->66847 66846->66771 66846->66844 66852 6bfee8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66846->66852 66939 6c165d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66847->66939 66848 6c166a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66848->66852 66850 6c15aec0 2 API calls 66850->66852 66851->66845 66852->66771 66852->66848 66852->66850 66853 6bfeed02 Sleep 66852->66853 66854 6bfef7b1 66852->66854 66873 6bfee8c1 66853->66873 66940 6c165d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66854->66940 66856 6bfee8dd GetCurrentProcess TerminateProcess 66856->66852 66857 6bfea9bb 66860 6c166a43 std::_Facet_Register 4 API calls 66857->66860 66858 6bfea9a4 66859 6c166a43 std::_Facet_Register 4 API calls 66858->66859 66868 6bfea953 _Yarn _strlen 66859->66868 66860->66868 66861->66771 66861->66857 66861->66858 66861->66868 66862 6c164ff0 4 API calls 66862->66873 66863 6bfefbb8 66864 6bfefbe8 ExitWindowsEx Sleep 66863->66864 66864->66781 66865 6bfef7c0 66865->66863 66866 6bfeb009 66870 6c166a43 std::_Facet_Register 4 API calls 66866->66870 66867 6bfeaff0 66869 6c166a43 std::_Facet_Register 4 API calls 66867->66869 66868->66788 66868->66866 66868->66867 66871 6bfeafa0 _Yarn 66868->66871 66869->66871 66870->66871 66872 6c165960 104 API calls 66871->66872 66874 6bfeb059 std::ios_base::_Ios_base_dtor _strlen 66872->66874 66873->66852 66873->66856 66873->66862 66874->66771 66875 6bfeb42c 66874->66875 66876 6bfeb443 66874->66876 66879 6bfeb3da _Yarn _strlen 66874->66879 66877 6c166a43 std::_Facet_Register 4 API calls 66875->66877 66878 6c166a43 std::_Facet_Register 4 API calls 66876->66878 66877->66879 66878->66879 66879->66788 66880 6bfeb79e 66879->66880 66881 6bfeb7b7 66879->66881 66884 6bfeb751 _Yarn 66879->66884 66882 6c166a43 std::_Facet_Register 4 API calls 66880->66882 66883 6c166a43 std::_Facet_Register 4 API calls 66881->66883 66882->66884 66883->66884 66885 6c165960 104 API calls 66884->66885 66886 6bfeb804 std::ios_base::_Ios_base_dtor _strlen 66885->66886 66886->66771 66887 6bfebc0f 66886->66887 66888 6bfebc26 66886->66888 66891 6bfebbbd _Yarn _strlen 66886->66891 66889 6c166a43 std::_Facet_Register 4 API calls 66887->66889 66890 6c166a43 std::_Facet_Register 4 API calls 66888->66890 66889->66891 66890->66891 66891->66788 66892 6bfec08e 66891->66892 66893 6bfec075 66891->66893 66896 6bfec028 _Yarn 66891->66896 66895 6c166a43 std::_Facet_Register 4 API calls 66892->66895 66894 6c166a43 std::_Facet_Register 4 API calls 66893->66894 66894->66896 66895->66896 66897 6c165960 104 API calls 66896->66897 66902 6bfec0db std::ios_base::_Ios_base_dtor _strlen 66897->66902 66898 6bfec7bc 66901 6c166a43 std::_Facet_Register 4 API calls 66898->66901 66899 6bfec7a5 66900 6c166a43 std::_Facet_Register 4 API calls 66899->66900 66909 6bfec753 _Yarn _strlen 66900->66909 66901->66909 66902->66771 66902->66898 66902->66899 66902->66909 66903 6bfed3ed 66905 6c166a43 std::_Facet_Register 4 API calls 66903->66905 66904 6bfed406 66906 6c166a43 std::_Facet_Register 4 API calls 66904->66906 66907 6bfed39a _Yarn 66905->66907 66906->66907 66908 6c165960 104 API calls 66907->66908 66910 6bfed458 std::ios_base::_Ios_base_dtor _strlen 66908->66910 66909->66788 66909->66903 66909->66904 66909->66907 66915 6bfecb2f 66909->66915 66910->66771 66911 6bfed8bb 66910->66911 66912 6bfed8a4 66910->66912 66916 6bfed852 _Yarn _strlen 66910->66916 66913 6c166a43 std::_Facet_Register 4 API calls 66911->66913 66914 6c166a43 std::_Facet_Register 4 API calls 66912->66914 66913->66916 66914->66916 66916->66788 66917 6bfedccf 66916->66917 66918 6bfedcb6 66916->66918 66921 6bfedc69 _Yarn 66916->66921 66920 6c166a43 std::_Facet_Register 4 API calls 66917->66920 66919 6c166a43 std::_Facet_Register 4 API calls 66918->66919 66919->66921 66920->66921 66922 6c165960 104 API calls 66921->66922 66924 6bfedd1c std::ios_base::_Ios_base_dtor 66922->66924 66923 6c164ff0 4 API calls 66923->66852 66924->66771 66924->66923 66926 6c165156 66925->66926 66927 6c1651e8 OpenServiceA 66926->66927 66928 6c16522f 66926->66928 66927->66926 66928->66820 66935 6c1503a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66929->66935 66930 6c15310e CloseHandle 66930->66935 66931 6c153f5f CloseHandle 66931->66935 66932 6c15251b CloseHandle 66932->66935 66933 6bff37cb 66937 6c165d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66933->66937 66934 6c13c1e0 WriteFile WriteFile WriteFile ReadFile 66934->66935 66935->66930 66935->66931 66935->66932 66935->66933 66935->66934 66950 6c13b730 66935->66950 66937->66786 66938->66815 66939->66835 66940->66865 66942 6c1652a0 std::locale::_Setgloballocale 66941->66942 66943 6c165277 CloseHandle 66942->66943 66944 6c165320 Process32NextW 66942->66944 66945 6c1653b1 66942->66945 66946 6c165345 Process32FirstW 66942->66946 66943->66942 66944->66942 66945->66792 66946->66942 66947->66811 66949->66793 66952 6c13b743 _Yarn __wsopen_s std::locale::_Setgloballocale 66950->66952 66951 6c13c180 66951->66935 66952->66951 66953 6c13bced CreateFileA 66952->66953 66955 6c13aa30 66952->66955 66953->66952 66956 6c13aa43 __wsopen_s std::locale::_Setgloballocale 66955->66956 66957 6c13b3e9 WriteFile 66956->66957 66958 6c13b43d WriteFile 66956->66958 66959 6c13b718 66956->66959 66960 6c13ab95 ReadFile 66956->66960 66957->66956 66958->66956 66959->66952 66960->66956
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: HR^
                                        • API String ID: 4218353326-1341859651
                                        • Opcode ID: 5123df0cc83ce9fc2861a971cd65eac5ecfecf5cd6d2117c57abe9f8bc05991e
                                        • Instruction ID: 13ba9b51f5f0e33ac78a963e5fa2b438f96b56c4b6afab19da896af0a33b7d54
                                        • Opcode Fuzzy Hash: 5123df0cc83ce9fc2861a971cd65eac5ecfecf5cd6d2117c57abe9f8bc05991e
                                        • Instruction Fuzzy Hash: E674F772644B028FC728CF28C8D06A5B7F3EF95314B198A6DC0968B765E778B54BCB50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: }jk$;T55$L@^
                                        • API String ID: 0-4218709813
                                        • Opcode ID: 278475e1851fcffacc4d836e03b9db5b0088ecb9f45fa6914fa95b50e9ad29c3
                                        • Instruction ID: 9c506f6e421e043f6946edb48ca653716478f0718fc499d42488f5e32d02114e
                                        • Opcode Fuzzy Hash: 278475e1851fcffacc4d836e03b9db5b0088ecb9f45fa6914fa95b50e9ad29c3
                                        • Instruction Fuzzy Hash: 533407726447018FC728CF28C8D0A95B7E7EF85314B198A6DC0AA4B775EB78B54BCB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7677 6c165240-6c165275 CreateToolhelp32Snapshot 7678 6c1652a0-6c1652a9 7677->7678 7679 6c1652e0-6c1652e5 7678->7679 7680 6c1652ab-6c1652b0 7678->7680 7683 6c165377-6c1653a1 call 6c172c05 7679->7683 7684 6c1652eb-6c1652f0 7679->7684 7681 6c165315-6c16531a 7680->7681 7682 6c1652b2-6c1652b7 7680->7682 7689 6c1653a6-6c1653ab 7681->7689 7690 6c165320-6c165332 Process32NextW 7681->7690 7685 6c165334-6c16535d call 6c16b920 Process32FirstW 7682->7685 7686 6c1652b9-6c1652be 7682->7686 7683->7678 7687 6c165277-6c165292 CloseHandle 7684->7687 7688 6c1652f2-6c1652f7 7684->7688 7696 6c165362-6c165372 7685->7696 7686->7678 7694 6c1652c0-6c1652d1 7686->7694 7687->7678 7688->7678 7695 6c1652f9-6c165313 7688->7695 7689->7678 7693 6c1653b1-6c1653bf 7689->7693 7690->7696 7694->7678 7695->7678 7696->7678
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C16524E
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CreateSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 3332741929-0
                                        • Opcode ID: ffa38a5fd806f82b09f5feddd28497b9f5eb8d1b4194c5ec2f7e957e34d985dd
                                        • Instruction ID: 88186afa72a6287c055da25d7454a4bf22f2f197732e04ff17b524da92669582
                                        • Opcode Fuzzy Hash: ffa38a5fd806f82b09f5feddd28497b9f5eb8d1b4194c5ec2f7e957e34d985dd
                                        • Instruction Fuzzy Hash: 1A315C74608340DFD7109F2AC888B1ABBF4AF96744F51492EF898C7BA1D371D8588B52

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7821 6bfe3886-6bfe388e 7822 6bfe3894-6bfe3896 7821->7822 7823 6bfe3970-6bfe397d 7821->7823 7822->7823 7824 6bfe389c-6bfe38b9 7822->7824 7825 6bfe397f-6bfe3989 7823->7825 7826 6bfe39f1-6bfe39f8 7823->7826 7829 6bfe38c0-6bfe38c1 7824->7829 7825->7824 7830 6bfe398f-6bfe3994 7825->7830 7827 6bfe39fe-6bfe3a03 7826->7827 7828 6bfe3ab5-6bfe3aba 7826->7828 7831 6bfe3a09-6bfe3a2f 7827->7831 7832 6bfe38d2-6bfe38d4 7827->7832 7828->7824 7834 6bfe3ac0-6bfe3ac7 7828->7834 7833 6bfe395e 7829->7833 7835 6bfe399a-6bfe399f 7830->7835 7836 6bfe3b16-6bfe3b18 7830->7836 7839 6bfe38f8-6bfe3955 7831->7839 7840 6bfe3a35-6bfe3a3a 7831->7840 7841 6bfe3957-6bfe395c 7832->7841 7843 6bfe3960-6bfe3964 7833->7843 7834->7829 7842 6bfe3acd-6bfe3ad6 7834->7842 7837 6bfe383b-6bfe3855 call 6c131470 call 6c131480 7835->7837 7838 6bfe39a5-6bfe39bf 7835->7838 7836->7829 7850 6bfe3860-6bfe3885 7837->7850 7844 6bfe3a5a-6bfe3a5d 7838->7844 7839->7841 7845 6bfe3b1d-6bfe3b22 7840->7845 7846 6bfe3a40-6bfe3a57 7840->7846 7841->7833 7842->7836 7847 6bfe3ad8-6bfe3aeb 7842->7847 7849 6bfe396a 7843->7849 7843->7850 7854 6bfe3aa9-6bfe3ab0 7844->7854 7855 6bfe3a87-6bfe3aa7 7844->7855 7851 6bfe3b49-6bfe3b50 7845->7851 7852 6bfe3b24-6bfe3b44 7845->7852 7846->7844 7847->7839 7856 6bfe3af1-6bfe3af8 7847->7856 7858 6bfe3ba1-6bfe3bb6 7849->7858 7850->7821 7851->7829 7860 6bfe3b56-6bfe3b5d 7851->7860 7852->7855 7854->7843 7855->7854 7862 6bfe3afa-6bfe3aff 7856->7862 7863 6bfe3b62-6bfe3b85 7856->7863 7859 6bfe3bc0-6bfe3bda call 6c131470 call 6c131480 7858->7859 7872 6bfe3be0-6bfe3bfe 7859->7872 7860->7843 7862->7841 7863->7839 7867 6bfe3b8b 7863->7867 7867->7858 7875 6bfe3e7b 7872->7875 7876 6bfe3c04-6bfe3c11 7872->7876 7879 6bfe3e81-6bfe3ee0 call 6bfe3750 GetCurrentThread NtSetInformationThread 7875->7879 7877 6bfe3c17-6bfe3c20 7876->7877 7878 6bfe3ce0-6bfe3cea 7876->7878 7883 6bfe3c26-6bfe3c2d 7877->7883 7884 6bfe3dc5 7877->7884 7881 6bfe3cec-6bfe3d0c 7878->7881 7882 6bfe3d3a-6bfe3d3c 7878->7882 7893 6bfe3eea-6bfe3f04 call 6c131470 call 6c131480 7879->7893 7887 6bfe3d90-6bfe3d95 7881->7887 7888 6bfe3d3e-6bfe3d45 7882->7888 7889 6bfe3d70-6bfe3d8d 7882->7889 7890 6bfe3dc3 7883->7890 7891 6bfe3c33-6bfe3c3a 7883->7891 7885 6bfe3dc6 7884->7885 7892 6bfe3dc8-6bfe3dcc 7885->7892 7897 6bfe3dba-6bfe3dc1 7887->7897 7898 6bfe3d97-6bfe3db8 7887->7898 7894 6bfe3d50-6bfe3d57 7888->7894 7889->7887 7890->7884 7895 6bfe3e26-6bfe3e2b 7891->7895 7896 6bfe3c40-6bfe3c5b 7891->7896 7892->7872 7904 6bfe3dd2 7892->7904 7915 6bfe3f75-6bfe3fa1 7893->7915 7894->7885 7901 6bfe3c7b-6bfe3cd0 7895->7901 7902 6bfe3e31 7895->7902 7903 6bfe3e1b-6bfe3e24 7896->7903 7897->7890 7899 6bfe3dd7-6bfe3ddc 7897->7899 7898->7884 7906 6bfe3dde-6bfe3e17 7899->7906 7907 6bfe3e36-6bfe3e3d 7899->7907 7901->7894 7902->7859 7903->7892 7905 6bfe3e76-6bfe3e79 7904->7905 7905->7879 7906->7903 7911 6bfe3e3f-6bfe3e5a 7907->7911 7912 6bfe3e5c-6bfe3e5f 7907->7912 7911->7903 7912->7901 7914 6bfe3e65-6bfe3e69 7912->7914 7914->7892 7914->7905 7919 6bfe3fa3-6bfe3fa8 7915->7919 7920 6bfe4020-6bfe4026 7915->7920 7921 6bfe3fae-6bfe3fcf 7919->7921 7922 6bfe407c-6bfe4081 7919->7922 7923 6bfe402c-6bfe403c 7920->7923 7924 6bfe3f06-6bfe3f35 7920->7924 7926 6bfe40aa-6bfe40ae 7921->7926 7922->7926 7929 6bfe4083-6bfe408a 7922->7929 7927 6bfe403e-6bfe4058 7923->7927 7928 6bfe40b3-6bfe40b8 7923->7928 7925 6bfe3f38-6bfe3f61 7924->7925 7930 6bfe3f64-6bfe3f67 7925->7930 7931 6bfe3f6b-6bfe3f6f 7926->7931 7932 6bfe405a-6bfe4063 7927->7932 7928->7921 7934 6bfe40be-6bfe40c9 7928->7934 7929->7925 7933 6bfe4090 7929->7933 7935 6bfe3f69 7930->7935 7931->7915 7936 6bfe4069-6bfe406c 7932->7936 7937 6bfe40f5-6bfe413f 7932->7937 7933->7893 7934->7926 7938 6bfe40cb-6bfe40d4 7934->7938 7935->7931 7942 6bfe4144-6bfe414b 7936->7942 7943 6bfe4072-6bfe4077 7936->7943 7937->7935 7939 6bfe40d6-6bfe40f0 7938->7939 7940 6bfe40a7 7938->7940 7939->7932 7940->7926 7942->7931 7943->7930
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b2ea2ffce325a03b2514a4ba0d0661d38603b33fb6a53e6e965e9b75c9aa92f4
                                        • Instruction ID: 722602452fd45cfdf2fbfd1f8eec956efe86996cabe01ac98ccabc47c99e5af2
                                        • Opcode Fuzzy Hash: b2ea2ffce325a03b2514a4ba0d0661d38603b33fb6a53e6e965e9b75c9aa92f4
                                        • Instruction Fuzzy Hash: 9A32C233244B018FC335CF28C8946A5B7E3EF913147698AADC0EA5B665D779B44BCB60

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7969 6bfe3a6a-6bfe3a85 7970 6bfe3a87-6bfe3aa7 7969->7970 7971 6bfe3aa9-6bfe3ab0 7970->7971 7972 6bfe3960-6bfe3964 7971->7972 7973 6bfe396a 7972->7973 7974 6bfe3860-6bfe388e 7972->7974 7976 6bfe3ba1-6bfe3bb6 7973->7976 7984 6bfe3894-6bfe3896 7974->7984 7985 6bfe3970-6bfe397d 7974->7985 7977 6bfe3bc0-6bfe3bda call 6c131470 call 6c131480 7976->7977 7992 6bfe3be0-6bfe3bfe 7977->7992 7984->7985 7987 6bfe389c-6bfe38b9 7984->7987 7988 6bfe397f-6bfe3989 7985->7988 7989 6bfe39f1-6bfe39f8 7985->7989 7993 6bfe38c0-6bfe38c1 7987->7993 7988->7987 7994 6bfe398f-6bfe3994 7988->7994 7990 6bfe39fe-6bfe3a03 7989->7990 7991 6bfe3ab5-6bfe3aba 7989->7991 7995 6bfe3a09-6bfe3a2f 7990->7995 7996 6bfe38d2-6bfe38d4 7990->7996 7991->7987 7999 6bfe3ac0-6bfe3ac7 7991->7999 8012 6bfe3e7b 7992->8012 8013 6bfe3c04-6bfe3c11 7992->8013 7998 6bfe395e 7993->7998 8000 6bfe399a-6bfe399f 7994->8000 8001 6bfe3b16-6bfe3b18 7994->8001 8004 6bfe38f8-6bfe3955 7995->8004 8005 6bfe3a35-6bfe3a3a 7995->8005 8007 6bfe3957-6bfe395c 7996->8007 7998->7972 7999->7993 8008 6bfe3acd-6bfe3ad6 7999->8008 8002 6bfe383b-6bfe3855 call 6c131470 call 6c131480 8000->8002 8003 6bfe39a5-6bfe39bf 8000->8003 8001->7993 8002->7974 8009 6bfe3a5a-6bfe3a5d 8003->8009 8004->8007 8010 6bfe3b1d-6bfe3b22 8005->8010 8011 6bfe3a40-6bfe3a57 8005->8011 8007->7998 8008->8001 8014 6bfe3ad8-6bfe3aeb 8008->8014 8009->7970 8009->7971 8016 6bfe3b49-6bfe3b50 8010->8016 8017 6bfe3b24-6bfe3b44 8010->8017 8011->8009 8021 6bfe3e81-6bfe3ee0 call 6bfe3750 GetCurrentThread NtSetInformationThread 8012->8021 8018 6bfe3c17-6bfe3c20 8013->8018 8019 6bfe3ce0-6bfe3cea 8013->8019 8014->8004 8020 6bfe3af1-6bfe3af8 8014->8020 8016->7993 8023 6bfe3b56-6bfe3b5d 8016->8023 8017->7970 8027 6bfe3c26-6bfe3c2d 8018->8027 8028 6bfe3dc5 8018->8028 8025 6bfe3cec-6bfe3d0c 8019->8025 8026 6bfe3d3a-6bfe3d3c 8019->8026 8029 6bfe3afa-6bfe3aff 8020->8029 8030 6bfe3b62-6bfe3b85 8020->8030 8042 6bfe3eea-6bfe3f04 call 6c131470 call 6c131480 8021->8042 8023->7972 8035 6bfe3d90-6bfe3d95 8025->8035 8036 6bfe3d3e-6bfe3d45 8026->8036 8037 6bfe3d70-6bfe3d8d 8026->8037 8038 6bfe3dc3 8027->8038 8039 6bfe3c33-6bfe3c3a 8027->8039 8032 6bfe3dc6 8028->8032 8029->8007 8030->8004 8034 6bfe3b8b 8030->8034 8041 6bfe3dc8-6bfe3dcc 8032->8041 8034->7976 8046 6bfe3dba-6bfe3dc1 8035->8046 8047 6bfe3d97-6bfe3db8 8035->8047 8043 6bfe3d50-6bfe3d57 8036->8043 8037->8035 8038->8028 8044 6bfe3e26-6bfe3e2b 8039->8044 8045 6bfe3c40-6bfe3c5b 8039->8045 8041->7992 8053 6bfe3dd2 8041->8053 8064 6bfe3f75-6bfe3fa1 8042->8064 8043->8032 8050 6bfe3c7b-6bfe3cd0 8044->8050 8051 6bfe3e31 8044->8051 8052 6bfe3e1b-6bfe3e24 8045->8052 8046->8038 8048 6bfe3dd7-6bfe3ddc 8046->8048 8047->8028 8055 6bfe3dde-6bfe3e17 8048->8055 8056 6bfe3e36-6bfe3e3d 8048->8056 8050->8043 8051->7977 8052->8041 8054 6bfe3e76-6bfe3e79 8053->8054 8054->8021 8055->8052 8060 6bfe3e3f-6bfe3e5a 8056->8060 8061 6bfe3e5c-6bfe3e5f 8056->8061 8060->8052 8061->8050 8063 6bfe3e65-6bfe3e69 8061->8063 8063->8041 8063->8054 8068 6bfe3fa3-6bfe3fa8 8064->8068 8069 6bfe4020-6bfe4026 8064->8069 8070 6bfe3fae-6bfe3fcf 8068->8070 8071 6bfe407c-6bfe4081 8068->8071 8072 6bfe402c-6bfe403c 8069->8072 8073 6bfe3f06-6bfe3f35 8069->8073 8075 6bfe40aa-6bfe40ae 8070->8075 8071->8075 8078 6bfe4083-6bfe408a 8071->8078 8076 6bfe403e-6bfe4058 8072->8076 8077 6bfe40b3-6bfe40b8 8072->8077 8074 6bfe3f38-6bfe3f61 8073->8074 8079 6bfe3f64-6bfe3f67 8074->8079 8080 6bfe3f6b-6bfe3f6f 8075->8080 8081 6bfe405a-6bfe4063 8076->8081 8077->8070 8083 6bfe40be-6bfe40c9 8077->8083 8078->8074 8082 6bfe4090 8078->8082 8084 6bfe3f69 8079->8084 8080->8064 8085 6bfe4069-6bfe406c 8081->8085 8086 6bfe40f5-6bfe413f 8081->8086 8082->8042 8083->8075 8087 6bfe40cb-6bfe40d4 8083->8087 8084->8080 8091 6bfe4144-6bfe414b 8085->8091 8092 6bfe4072-6bfe4077 8085->8092 8086->8084 8088 6bfe40d6-6bfe40f0 8087->8088 8089 6bfe40a7 8087->8089 8088->8081 8089->8075 8091->8080 8092->8079
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: b7cfd95dc1154b71cb938b90ae78242bcc05b5840560ccd0e68fabe537c2a036
                                        • Instruction ID: c9604fc6897afdf7bdbe46c8637480b4662e212e3722d213223872f2d822b2ee
                                        • Opcode Fuzzy Hash: b7cfd95dc1154b71cb938b90ae78242bcc05b5840560ccd0e68fabe537c2a036
                                        • Instruction Fuzzy Hash: 9151CF335047019FC332CF28C8847A5B7A3AF95314F698A5DC0EA1B6B5DB79B44B8B61
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CurrentThread
                                        • String ID:
                                        • API String ID: 2882836952-0
                                        • Opcode ID: 271b471a3c14063fc512384a8a29c7194ff3e5af7d4d133f6982d151ea6e6d70
                                        • Instruction ID: b59c0d057ff6b37ec720010d25405068f11b9223f1a0136345d3c4d06ecad970
                                        • Opcode Fuzzy Hash: 271b471a3c14063fc512384a8a29c7194ff3e5af7d4d133f6982d151ea6e6d70
                                        • Instruction Fuzzy Hash: 0F51E033504B119BC331CF28C4847A5B7A3BF85314F258A5DC0EA5B2B5DB78B44B8BA1
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BFE3E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFE3EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: c123e4544efe1767c5cfac96eb72f7bad0cd8d5e2a96775aa6256dae87de1170
                                        • Instruction ID: 81c8922bf57a2714f5d4e558802799448d54182b1ba8164c28ff6d0f136d3235
                                        • Opcode Fuzzy Hash: c123e4544efe1767c5cfac96eb72f7bad0cd8d5e2a96775aa6256dae87de1170
                                        • Instruction Fuzzy Hash: 18310233505B01DBC731CF28C8987E6B7A3AF96314F258A5DC0A65B2A1DB78700A8B61
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BFE3E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFE3EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: 7ad66dc5fa80b18c496fcab9393d63c9014312b1e51e2fced9a41d185e48fb27
                                        • Instruction ID: a686e870243011e7840370539b0e69f7bf59946148303842d761874f54b9b8de
                                        • Opcode Fuzzy Hash: 7ad66dc5fa80b18c496fcab9393d63c9014312b1e51e2fced9a41d185e48fb27
                                        • Instruction Fuzzy Hash: 98310133104701DBC735CF28C4987A6B7B2AF92304F254A5CC0EA5B2B5DB79B406CB61
                                        APIs
                                        • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C165130
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ManagerOpen
                                        • String ID:
                                        • API String ID: 1889721586-0
                                        • Opcode ID: 06e3c3c830669a9e0f74771e70f2b1e0fde329b5af76a10ef0d67d55d36fef8b
                                        • Instruction ID: b8cd50b2160f0b8e29c9baf2b097b9fc7df034c3abedfd6a5c9c9bbd39c8adc7
                                        • Opcode Fuzzy Hash: 06e3c3c830669a9e0f74771e70f2b1e0fde329b5af76a10ef0d67d55d36fef8b
                                        • Instruction Fuzzy Hash: 563147B4609301EFC710CF2AC584A0ABBF0AB8A758F51895EF888C7761C371C858DB62
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 6BFE3E9D
                                        • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BFE3EAA
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Thread$CurrentInformation
                                        • String ID:
                                        • API String ID: 1650627709-0
                                        • Opcode ID: dfddc45d17862a06b9b93c5a09c521e72dee76ea844a0b42f0c8da1f83b272bd
                                        • Instruction ID: f394b5665d31b664a4e9126f4279f64626a908d8608ad03c4fdba2712583f1d6
                                        • Opcode Fuzzy Hash: dfddc45d17862a06b9b93c5a09c521e72dee76ea844a0b42f0c8da1f83b272bd
                                        • Instruction Fuzzy Hash: 91210533518701EBD735CF24C8987AAB7B2AF42304F244A5DD0A64B2B0DB78B4068B71
                                        APIs
                                        • FindFirstFileA.KERNEL32(?,?), ref: 6C15AEDC
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: FileFindFirst
                                        • String ID:
                                        • API String ID: 1974802433-0
                                        • Opcode ID: 463a5cb9b15cfdcd59f737340673275f6f910cdfeeee14818fd42bc97e61b7a5
                                        • Instruction ID: ab6393252595d1d3687c6eb21e44c9eb29dea926f6f636b3180ae703e7f9b6f6
                                        • Opcode Fuzzy Hash: 463a5cb9b15cfdcd59f737340673275f6f910cdfeeee14818fd42bc97e61b7a5
                                        • Instruction Fuzzy Hash: 861136B4548350AFD710CB28D94452EBBE4BF86314F948E9AF4B8CB691D335CC948B72
                                        APIs
                                        • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C13ABA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: FileRead
                                        • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                        • API String ID: 2738559852-1563143607
                                        • Opcode ID: b0f16579b11d8e6e7da52a181cd9e4e64cd9789ba1fd1c69f4ac809145028102
                                        • Instruction ID: 6f37787a94fd6a45db14fb83d1f557e4a9daae63c680c0d9eb62942993df4b16
                                        • Opcode Fuzzy Hash: b0f16579b11d8e6e7da52a181cd9e4e64cd9789ba1fd1c69f4ac809145028102
                                        • Instruction Fuzzy Hash: F262797060D7918FCB24CF58C490A5ABBE2AFDA308F249D1EE899CB755D734D8468B43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6824 6c17cad3-6c17cae3 6825 6c17cae5-6c17caf8 call 6c16f9df call 6c16f9cc 6824->6825 6826 6c17cafd-6c17caff 6824->6826 6844 6c17ce7c 6825->6844 6827 6c17cb05-6c17cb0b 6826->6827 6828 6c17ce64-6c17ce71 call 6c16f9df call 6c16f9cc 6826->6828 6827->6828 6830 6c17cb11-6c17cb37 6827->6830 6845 6c17ce77 call 6c170120 6828->6845 6830->6828 6833 6c17cb3d-6c17cb46 6830->6833 6837 6c17cb60-6c17cb62 6833->6837 6838 6c17cb48-6c17cb5b call 6c16f9df call 6c16f9cc 6833->6838 6842 6c17ce60-6c17ce62 6837->6842 6843 6c17cb68-6c17cb6b 6837->6843 6838->6845 6847 6c17ce7f-6c17ce82 6842->6847 6843->6842 6848 6c17cb71-6c17cb75 6843->6848 6844->6847 6845->6844 6848->6838 6851 6c17cb77-6c17cb8e 6848->6851 6853 6c17cb90-6c17cb93 6851->6853 6854 6c17cbdf-6c17cbe5 6851->6854 6857 6c17cb95-6c17cb9e 6853->6857 6858 6c17cba3-6c17cba9 6853->6858 6855 6c17cbe7-6c17cbf1 6854->6855 6856 6c17cbab-6c17cbc2 call 6c16f9df call 6c16f9cc call 6c170120 6854->6856 6860 6c17cbf3-6c17cbf5 6855->6860 6861 6c17cbf8-6c17cc16 call 6c1747f5 call 6c1747bb * 2 6855->6861 6889 6c17cd97 6856->6889 6862 6c17cc63-6c17cc73 6857->6862 6858->6856 6863 6c17cbc7-6c17cbda 6858->6863 6860->6861 6893 6c17cc33-6c17cc5c call 6c17ac69 6861->6893 6894 6c17cc18-6c17cc2e call 6c16f9cc call 6c16f9df 6861->6894 6865 6c17cc79-6c17cc85 6862->6865 6866 6c17cd38-6c17cd41 call 6c1819e5 6862->6866 6863->6862 6865->6866 6870 6c17cc8b-6c17cc8d 6865->6870 6877 6c17cdb4 6866->6877 6878 6c17cd43-6c17cd55 6866->6878 6870->6866 6874 6c17cc93-6c17ccb7 6870->6874 6874->6866 6879 6c17ccb9-6c17cccf 6874->6879 6881 6c17cdb8-6c17cdd0 ReadFile 6877->6881 6878->6877 6883 6c17cd57-6c17cd66 GetConsoleMode 6878->6883 6879->6866 6884 6c17ccd1-6c17ccd3 6879->6884 6887 6c17cdd2-6c17cdd8 6881->6887 6888 6c17ce2c-6c17ce37 GetLastError 6881->6888 6883->6877 6890 6c17cd68-6c17cd6c 6883->6890 6884->6866 6891 6c17ccd5-6c17ccfb 6884->6891 6887->6888 6897 6c17cdda 6887->6897 6895 6c17ce50-6c17ce53 6888->6895 6896 6c17ce39-6c17ce4b call 6c16f9cc call 6c16f9df 6888->6896 6899 6c17cd9a-6c17cda4 call 6c1747bb 6889->6899 6890->6881 6898 6c17cd6e-6c17cd88 ReadConsoleW 6890->6898 6891->6866 6892 6c17ccfd-6c17cd13 6891->6892 6892->6866 6901 6c17cd15-6c17cd17 6892->6901 6893->6862 6894->6889 6908 6c17cd90-6c17cd96 call 6c16f9f2 6895->6908 6909 6c17ce59-6c17ce5b 6895->6909 6896->6889 6905 6c17cddd-6c17cdef 6897->6905 6906 6c17cd8a GetLastError 6898->6906 6907 6c17cda9-6c17cdb2 6898->6907 6899->6847 6901->6866 6911 6c17cd19-6c17cd33 6901->6911 6905->6899 6915 6c17cdf1-6c17cdf5 6905->6915 6906->6908 6907->6905 6908->6889 6909->6899 6911->6866 6919 6c17cdf7-6c17ce07 call 6c17cefe 6915->6919 6920 6c17ce0e-6c17ce19 6915->6920 6932 6c17ce0a-6c17ce0c 6919->6932 6925 6c17ce25-6c17ce2a call 6c17d1b6 6920->6925 6926 6c17ce1b call 6c17ce83 6920->6926 6930 6c17ce20-6c17ce23 6925->6930 6926->6930 6930->6932 6932->6899
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: ad06768193181b6588c8723a2c7609cb5523d63603c69ea9183430f9d822092c
                                        • Instruction ID: 7516ee41ff6cd33fefac4113cad4d18464ab88826efe22c08df67ccef96e0ca0
                                        • Opcode Fuzzy Hash: ad06768193181b6588c8723a2c7609cb5523d63603c69ea9183430f9d822092c
                                        • Instruction Fuzzy Hash: A8C10670E04249AFDF11DFA9C8A0BEDBFB1AF4A318F204159E950ABB81C7759945CB70

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6933 6c18406c-6c18409c call 6c1844ec 6936 6c18409e-6c1840a9 call 6c16f9df 6933->6936 6937 6c1840b7-6c1840c3 call 6c18160c 6933->6937 6944 6c1840ab-6c1840b2 call 6c16f9cc 6936->6944 6942 6c1840dc-6c184125 call 6c184457 6937->6942 6943 6c1840c5-6c1840da call 6c16f9df call 6c16f9cc 6937->6943 6953 6c184192-6c18419b GetFileType 6942->6953 6954 6c184127-6c184130 6942->6954 6943->6944 6951 6c184391-6c184395 6944->6951 6955 6c18419d-6c1841ce GetLastError call 6c16f9f2 CloseHandle 6953->6955 6956 6c1841e4-6c1841e7 6953->6956 6958 6c184132-6c184136 6954->6958 6959 6c184167-6c18418d GetLastError call 6c16f9f2 6954->6959 6955->6944 6970 6c1841d4-6c1841df call 6c16f9cc 6955->6970 6962 6c1841e9-6c1841ee 6956->6962 6963 6c1841f0-6c1841f6 6956->6963 6958->6959 6964 6c184138-6c184165 call 6c184457 6958->6964 6959->6944 6967 6c1841fa-6c184248 call 6c1817b0 6962->6967 6963->6967 6968 6c1841f8 6963->6968 6964->6953 6964->6959 6975 6c18424a-6c184256 call 6c184666 6967->6975 6976 6c184267-6c18428f call 6c184710 6967->6976 6968->6967 6970->6944 6975->6976 6982 6c184258 6975->6982 6983 6c184291-6c184292 6976->6983 6984 6c184294-6c1842d5 6976->6984 6985 6c18425a-6c184262 call 6c17b925 6982->6985 6983->6985 6986 6c1842f6-6c184304 6984->6986 6987 6c1842d7-6c1842db 6984->6987 6985->6951 6988 6c18430a-6c18430e 6986->6988 6989 6c18438f 6986->6989 6987->6986 6991 6c1842dd-6c1842f1 6987->6991 6988->6989 6992 6c184310-6c184343 CloseHandle call 6c184457 6988->6992 6989->6951 6991->6986 6996 6c184345-6c184371 GetLastError call 6c16f9f2 call 6c18171f 6992->6996 6997 6c184377-6c18438b 6992->6997 6996->6997 6997->6989
                                        APIs
                                          • Part of subcall function 6C184457: CreateFileW.KERNEL32(00000000,00000000,?,6C184115,?,?,00000000,?,6C184115,00000000,0000000C), ref: 6C184474
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C184180
                                        • __dosmaperr.LIBCMT ref: 6C184187
                                        • GetFileType.KERNEL32(00000000), ref: 6C184193
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C18419D
                                        • __dosmaperr.LIBCMT ref: 6C1841A6
                                        • CloseHandle.KERNEL32(00000000), ref: 6C1841C6
                                        • CloseHandle.KERNEL32(6C17B0D0), ref: 6C184313
                                        • GetLastError.KERNEL32 ref: 6C184345
                                        • __dosmaperr.LIBCMT ref: 6C18434C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                        • String ID: 8Q
                                        • API String ID: 4237864984-4022487301
                                        • Opcode ID: 49d1ca81cc0b727ece7ab65a91d9e0e20da067ca9cfe96d86b511335d5bd3c71
                                        • Instruction ID: 0a0251a1d07ed42bc018902475f0689b48f8d0381f4d3a1232da2d04ad20015b
                                        • Opcode Fuzzy Hash: 49d1ca81cc0b727ece7ab65a91d9e0e20da067ca9cfe96d86b511335d5bd3c71
                                        • Instruction Fuzzy Hash: 2BA14932A091549FCF09CF68C8A17EE7BB5AB07328F244259E821EF7C1CB359816CB51

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7002 6c13c1e0-6c13c239 call 6c166b70 7005 6c13c260-6c13c269 7002->7005 7006 6c13c2b0-6c13c2b5 7005->7006 7007 6c13c26b-6c13c270 7005->7007 7008 6c13c330-6c13c335 7006->7008 7009 6c13c2b7-6c13c2bc 7006->7009 7010 6c13c272-6c13c277 7007->7010 7011 6c13c2f0-6c13c2f5 7007->7011 7016 6c13c33b-6c13c340 7008->7016 7017 6c13c489-6c13c4b9 call 6c16b3a0 7008->7017 7012 6c13c2c2-6c13c2c7 7009->7012 7013 6c13c407-6c13c41b 7009->7013 7018 6c13c372-6c13c3df WriteFile 7010->7018 7019 6c13c27d-6c13c282 7010->7019 7014 6c13c431-6c13c448 WriteFile 7011->7014 7015 6c13c2fb-6c13c300 7011->7015 7023 6c13c23b-6c13c250 7012->7023 7024 6c13c2cd-6c13c2d2 7012->7024 7022 6c13c41f-6c13c42c 7013->7022 7025 6c13c452-6c13c47f call 6c16b920 ReadFile 7014->7025 7015->7025 7026 6c13c306-6c13c30b 7015->7026 7028 6c13c346-6c13c36d 7016->7028 7029 6c13c4be-6c13c4c3 7016->7029 7017->7005 7020 6c13c3e9-6c13c3fd WriteFile 7018->7020 7019->7020 7021 6c13c288-6c13c28d 7019->7021 7020->7013 7021->7005 7030 6c13c28f-6c13c2aa 7021->7030 7022->7005 7034 6c13c253-6c13c258 7023->7034 7024->7005 7031 6c13c2d4-6c13c2e7 7024->7031 7025->7017 7026->7005 7033 6c13c311-6c13c32b 7026->7033 7028->7034 7029->7005 7036 6c13c4c9-6c13c4d7 7029->7036 7030->7034 7031->7034 7033->7022 7034->7005
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: :uW$;uW$;uW$> 4!$> 4!
                                        • API String ID: 0-4100612575
                                        • Opcode ID: 7cc9b1f253ee2e4e6a4548a3b501d27e2c616b9bf371c6a37fe57e3469c6404d
                                        • Instruction ID: e8cf6f4e28ee1adf9f8b31180e0bef021ee0df68075777cd0808048b8075677a
                                        • Opcode Fuzzy Hash: 7cc9b1f253ee2e4e6a4548a3b501d27e2c616b9bf371c6a37fe57e3469c6404d
                                        • Instruction Fuzzy Hash: 5F71BDB0208365EFC710DF55C890B6ABBF4FF8A708F104A2EF488D6650D3B5D8588B96
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K?Jo$K?Jo$`Rlx$7eO
                                        • API String ID: 0-174837320
                                        • Opcode ID: 986b23844f3d8206fb606f26c4c05519f586eb94315e480fea59ce24723491c6
                                        • Instruction ID: 548aafe359a4b5cd5304b0fbd78267707936163d2420c18fdad2d9d15673df50
                                        • Opcode Fuzzy Hash: 986b23844f3d8206fb606f26c4c05519f586eb94315e480fea59ce24723491c6
                                        • Instruction Fuzzy Hash: 324297B86097518FD754CF18C090A1ABBF1EFD9358F20AE1EE59987B60E638D844CB43
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;T55
                                        • API String ID: 0-2572755013
                                        • Opcode ID: bbc34b7b8b0fceca03248c58e2d82e2266b789801f5732ae36f19d7c11e5d07f
                                        • Instruction ID: ee18af5822155518251048c6003d973cedd4cd4f51d62d321acf54e7c6291525
                                        • Opcode Fuzzy Hash: bbc34b7b8b0fceca03248c58e2d82e2266b789801f5732ae36f19d7c11e5d07f
                                        • Instruction Fuzzy Hash: 8E03E732645B018FC728CF28C8D0699B7E3AFD5324719CA6DC0A64B7A5DB78B54BCB50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7579 6c164ff0-6c165077 CreateProcessA 7580 6c1650ca-6c1650d3 7579->7580 7581 6c1650d5-6c1650da 7580->7581 7582 6c1650f0-6c16510b 7580->7582 7583 6c165080-6c1650c2 WaitForSingleObject CloseHandle * 2 7581->7583 7584 6c1650dc-6c1650e1 7581->7584 7582->7580 7583->7580 7584->7580 7585 6c1650e3-6c165118 7584->7585
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID: D
                                        • API String ID: 963392458-2746444292
                                        • Opcode ID: 8d884013ad7deda68d265ab2aa2a5331267cb4aff5e24f31e8c492f82daf6ed1
                                        • Instruction ID: 223ae69208f10e97906ae1d5fc719e4d21a0be58b76a589e0f02083fe1f09ff6
                                        • Opcode Fuzzy Hash: 8d884013ad7deda68d265ab2aa2a5331267cb4aff5e24f31e8c492f82daf6ed1
                                        • Instruction Fuzzy Hash: 103102708093808FD740DF29C19872ABBF0EB9A318F509A1DF8D986251E7B8D598CF43

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7587 6c17bc5e-6c17bc7a 7588 6c17bc80-6c17bc82 7587->7588 7589 6c17be39 7587->7589 7590 6c17bca4-6c17bcc5 7588->7590 7591 6c17bc84-6c17bc97 call 6c16f9df call 6c16f9cc call 6c170120 7588->7591 7592 6c17be3b-6c17be3f 7589->7592 7593 6c17bcc7-6c17bcca 7590->7593 7594 6c17bccc-6c17bcd2 7590->7594 7609 6c17bc9c-6c17bc9f 7591->7609 7593->7594 7596 6c17bcd4-6c17bcd9 7593->7596 7594->7591 7594->7596 7598 6c17bcdb-6c17bce7 call 6c17ac69 7596->7598 7599 6c17bcea-6c17bcfb call 6c17be40 7596->7599 7598->7599 7607 6c17bcfd-6c17bcff 7599->7607 7608 6c17bd3c-6c17bd4e 7599->7608 7612 6c17bd26-6c17bd32 call 6c17beb1 7607->7612 7613 6c17bd01-6c17bd09 7607->7613 7610 6c17bd95-6c17bdb7 WriteFile 7608->7610 7611 6c17bd50-6c17bd59 7608->7611 7609->7592 7614 6c17bdc2 7610->7614 7615 6c17bdb9-6c17bdbf GetLastError 7610->7615 7617 6c17bd85-6c17bd93 call 6c17c2c3 7611->7617 7618 6c17bd5b-6c17bd5e 7611->7618 7621 6c17bd37-6c17bd3a 7612->7621 7619 6c17bd0f-6c17bd1c call 6c17c25b 7613->7619 7620 6c17bdcb-6c17bdce 7613->7620 7622 6c17bdc5-6c17bdca 7614->7622 7615->7614 7617->7621 7624 6c17bd75-6c17bd83 call 6c17c487 7618->7624 7625 6c17bd60-6c17bd63 7618->7625 7628 6c17bd1f-6c17bd21 7619->7628 7623 6c17bdd1-6c17bdd6 7620->7623 7621->7628 7622->7620 7629 6c17be34-6c17be37 7623->7629 7630 6c17bdd8-6c17bddd 7623->7630 7624->7621 7625->7623 7631 6c17bd65-6c17bd73 call 6c17c39e 7625->7631 7628->7622 7629->7592 7635 6c17bddf-6c17bde4 7630->7635 7636 6c17be09-6c17be15 7630->7636 7631->7621 7641 6c17bde6-6c17bdf8 call 6c16f9cc call 6c16f9df 7635->7641 7642 6c17bdfd-6c17be04 call 6c16f9f2 7635->7642 7639 6c17be17-6c17be1a 7636->7639 7640 6c17be1c-6c17be2f call 6c16f9cc call 6c16f9df 7636->7640 7639->7589 7639->7640 7640->7609 7641->7609 7642->7609
                                        APIs
                                          • Part of subcall function 6C17BEB1: GetConsoleCP.KERNEL32(?,6C17B0D0,?), ref: 6C17BEF9
                                        • WriteFile.KERNEL32(?,?,6C1846EC,00000000,00000000,?,00000000,00000000,6C185AB6,00000000,00000000,?,00000000,6C17B0D0,6C1846EC,00000000), ref: 6C17BDAF
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1846EC,6C17B0D0,00000000,?,?,?,?,00000000,?), ref: 6C17BDB9
                                        • __dosmaperr.LIBCMT ref: 6C17BDFE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 251514795-4022487301
                                        • Opcode ID: 836a8accd3629a9c2e11626c356fc9129d45cd57d186f84e17e2445370729e5b
                                        • Instruction ID: 1ebc2c36a9feab0aab793b58196dfe649ed425043cde173813340403a5371c48
                                        • Opcode Fuzzy Hash: 836a8accd3629a9c2e11626c356fc9129d45cd57d186f84e17e2445370729e5b
                                        • Instruction Fuzzy Hash: C851F671A0520AAFDB21DFA9C880BEEBBB9EF0631CF150451E510ABA91DB349945C7B1

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7654 6c165b90-6c165b9c 7655 6c165b9e-6c165ba9 7654->7655 7656 6c165bdd 7654->7656 7658 6c165bbf-6c165bcc call 6c0301f0 call 6c170b18 7655->7658 7659 6c165bab-6c165bbd 7655->7659 7657 6c165bdf-6c165c57 7656->7657 7661 6c165c83-6c165c89 7657->7661 7662 6c165c59-6c165c81 7657->7662 7667 6c165bd1-6c165bdb 7658->7667 7659->7658 7662->7661 7664 6c165c8a-6c165d49 call 6c032250 call 6c032340 call 6c169379 call 6c02e010 call 6c167088 7662->7664 7667->7657
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C165D31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 323602529-1866435925
                                        • Opcode ID: 8ebbbe49d9a24212a7e6480042f818a5c4d886c957ae478d1df7a148976e14d9
                                        • Instruction ID: 20de6d37a9d1243ed9a3e722342e77bbe3a44a9d277a8031b73c604f7e9145f5
                                        • Opcode Fuzzy Hash: 8ebbbe49d9a24212a7e6480042f818a5c4d886c957ae478d1df7a148976e14d9
                                        • Instruction Fuzzy Hash: F95143B5900B008FD725CF2AC495BA7BBF1BB49318F108A2DD8864BB91D775B909CF90

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7699 6c17b925-6c17b939 call 6c1815a2 7702 6c17b93f-6c17b947 7699->7702 7703 6c17b93b-6c17b93d 7699->7703 7705 6c17b952-6c17b955 7702->7705 7706 6c17b949-6c17b950 7702->7706 7704 6c17b98d-6c17b9ad call 6c18171f 7703->7704 7716 6c17b9af-6c17b9b9 call 6c16f9f2 7704->7716 7717 6c17b9bb 7704->7717 7709 6c17b957-6c17b95b 7705->7709 7710 6c17b973-6c17b983 call 6c1815a2 CloseHandle 7705->7710 7706->7705 7708 6c17b95d-6c17b971 call 6c1815a2 * 2 7706->7708 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7720 6c17b985-6c17b98b GetLastError 7710->7720 7718 6c17b9bd-6c17b9c0 7716->7718 7717->7718 7720->7704
                                        APIs
                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,6C18425F), ref: 6C17B97B
                                        • GetLastError.KERNEL32(?,00000000,?,6C18425F), ref: 6C17B985
                                        • __dosmaperr.LIBCMT ref: 6C17B9B0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CloseErrorHandleLast__dosmaperr
                                        • String ID:
                                        • API String ID: 2583163307-0
                                        • Opcode ID: bca512c795c5c6ed2e752e31d0b8a8d042381cf14078d248fcfe7002c235385d
                                        • Instruction ID: 732dcfda0c3e489f338f28492dfddfaa7a4bdd812cfa71d9e9484cc162b09b32
                                        • Opcode Fuzzy Hash: bca512c795c5c6ed2e752e31d0b8a8d042381cf14078d248fcfe7002c235385d
                                        • Instruction Fuzzy Hash: 4D014E73A4A2205BC620063B9455BAE37654F93B3CF394359F83A87AC1DF60C8458270

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 7944 6c170b9c-6c170ba7 7945 6c170bbe-6c170bcb 7944->7945 7946 6c170ba9-6c170bbc call 6c16f9cc call 6c170120 7944->7946 7948 6c170c06-6c170c0f call 6c17ae75 7945->7948 7949 6c170bcd-6c170be2 call 6c170cb9 call 6c17873e call 6c179c60 call 6c17b898 7945->7949 7957 6c170c10-6c170c12 7946->7957 7948->7957 7963 6c170be7-6c170bec 7949->7963 7964 6c170bf3-6c170bf7 7963->7964 7965 6c170bee-6c170bf1 7963->7965 7964->7948 7966 6c170bf9-6c170c05 call 6c1747bb 7964->7966 7965->7948 7966->7948
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8Q
                                        • API String ID: 0-4022487301
                                        • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction ID: 756154085fcb46bf4b76c9b748c0a207fe0a9a99fba3f3617cf1fbd40877a8c7
                                        • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                        • Instruction Fuzzy Hash: 1CF0FF72601B546AD6315A2A8C00BDB36A89F8337CF200755E87193ED0DB7AE40ACAB1
                                        APIs
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C165AB4
                                        • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C165AF4
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Ios_base_dtorstd::ios_base::_
                                        • String ID:
                                        • API String ID: 323602529-0
                                        • Opcode ID: 6db1446b4cc222ba87748be623d3f9e03d9ce2316da49e6fd11e5f5b49a2c8e4
                                        • Instruction ID: 3d280b5fa56dbeedfc0dd684d336f4e47edb4d1976790f95b772a5966c28bcd4
                                        • Opcode Fuzzy Hash: 6db1446b4cc222ba87748be623d3f9e03d9ce2316da49e6fd11e5f5b49a2c8e4
                                        • Instruction Fuzzy Hash: FB513771201B00DBE725CF25C494BD6BBF4BB04718F448A1CD4AA5BB92DB30B559CB80
                                        APIs
                                        • GetLastError.KERNEL32(6C196DD8,0000000C), ref: 6C16EF52
                                        • ExitThread.KERNEL32 ref: 6C16EF59
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorExitLastThread
                                        • String ID:
                                        • API String ID: 1611280651-0
                                        • Opcode ID: 783881b589b905f4b456caa3834b840845a9b96f9e2e209d806240b5d21d3c35
                                        • Instruction ID: b050ed80ac41f9acadecacc0924182a2e00dddac323c647f77459872eec60be3
                                        • Opcode Fuzzy Hash: 783881b589b905f4b456caa3834b840845a9b96f9e2e209d806240b5d21d3c35
                                        • Instruction Fuzzy Hash: 98F0C271A00604AFDF109FB1C819BAE3B74FF41318F244289E41597B50CF315A15DBE1
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __wsopen_s
                                        • String ID:
                                        • API String ID: 3347428461-0
                                        • Opcode ID: 4e455dfeca53e8af26f9324183289a3596062cc4e2178a9f9a19ca1127582398
                                        • Instruction ID: 732e4595d2d7bb620d0dd97d6beb1893857450c1644b7eb4a8a779d26253c9c0
                                        • Opcode Fuzzy Hash: 4e455dfeca53e8af26f9324183289a3596062cc4e2178a9f9a19ca1127582398
                                        • Instruction Fuzzy Hash: 84118871A0420EAFCF05CF59E945A9B3BF8EF49308F1440A9F808AB301D731E911CBA4
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID:
                                        • API String ID: 269201875-0
                                        • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction ID: 866f6c938c73b8e7a7a6096360440289834597d2677122394c2111e2435c9ea6
                                        • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                        • Instruction Fuzzy Hash: 07012C72C05159AFCF019FA88D00AEF7FB9AB08214F144165FD24A26A0E7318A25DB91
                                        APIs
                                        • CreateFileW.KERNEL32(00000000,00000000,?,6C184115,?,?,00000000,?,6C184115,00000000,0000000C), ref: 6C184474
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: 1b0dce695742ffac9d3f70f3516ea9540bd436e00e219a2fe5d28a1bc9c96693
                                        • Instruction ID: 760800c77fc5c65a0de1362a7b03c5d59e07b11ad97598d16ac08f69b0696d44
                                        • Opcode Fuzzy Hash: 1b0dce695742ffac9d3f70f3516ea9540bd436e00e219a2fe5d28a1bc9c96693
                                        • Instruction Fuzzy Hash: E9D06C3210010DBBDF128E84DC06EDA3BAAFB88714F014000BA1856020C732E861AB90
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction ID: f3ed5f3b624bfd12e9bfda474507b040cbd9493895a2dde946e06f57bf2e75c8
                                        • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _strlen
                                        • String ID: g)''
                                        • API String ID: 4218353326-3487984327
                                        • Opcode ID: dc5dec03836a5ec59de63eb6916ff9dd9bf8761d5ed52f4842726bbe44fb1635
                                        • Instruction ID: fe6d224e96fb66438acd93582a16996287c432f7b74a03270e31d2b629280b28
                                        • Opcode Fuzzy Hash: dc5dec03836a5ec59de63eb6916ff9dd9bf8761d5ed52f4842726bbe44fb1635
                                        • Instruction Fuzzy Hash: D6632231645B018FC728CF29C8D0A95B3F3AF9531876ACA6DC0E64BE55E778B45ACB40
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 6C165D6A
                                        • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C165D76
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C165D84
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C165DAB
                                        • NtInitiatePowerAction.NTDLL ref: 6C165DBF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                        • String ID: SeShutdownPrivilege
                                        • API String ID: 3256374457-3733053543
                                        • Opcode ID: 4aabe5a6a3f377fa839dfe36519f7a04ca6eed7f452eb2fd9b74b609a579c39a
                                        • Instruction ID: f3b4b8faf57d9d5920e246f192a193f7ae474e3dfe77532a23301e46993eefec
                                        • Opcode Fuzzy Hash: 4aabe5a6a3f377fa839dfe36519f7a04ca6eed7f452eb2fd9b74b609a579c39a
                                        • Instruction Fuzzy Hash: 29F0B470644300BBEA00AB24DD0EB6A7BB4EF56701F018608FD85A60D1D7B06984CBA2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \j`7$\j`7$j
                                        • API String ID: 0-3644614255
                                        • Opcode ID: f223a2cb81013bcf15c1b1260bfee8c47f355c4d636f657ceff5dde74cfa231f
                                        • Instruction ID: 15b2acef885069d1b82d72cdad807c88136398c674c0f06c99384e5cf3cc0ce4
                                        • Opcode Fuzzy Hash: f223a2cb81013bcf15c1b1260bfee8c47f355c4d636f657ceff5dde74cfa231f
                                        • Instruction Fuzzy Hash: 08422476608382AFCB24CF69C48066EBBE1BBC9354F14495EE495CB360D339D946CB63
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1C6CE5
                                          • Part of subcall function 6C19CC2A: __EH_prolog.LIBCMT ref: 6C19CC2F
                                          • Part of subcall function 6C19E6A6: __EH_prolog.LIBCMT ref: 6C19E6AB
                                          • Part of subcall function 6C1C6A0E: __EH_prolog.LIBCMT ref: 6C1C6A13
                                          • Part of subcall function 6C1C6837: __EH_prolog.LIBCMT ref: 6C1C683C
                                          • Part of subcall function 6C1CA143: __EH_prolog.LIBCMT ref: 6C1CA148
                                          • Part of subcall function 6C1CA143: ctype.LIBCPMT ref: 6C1CA16C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog$ctype
                                        • String ID:
                                        • API String ID: 1039218491-3916222277
                                        • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                        • Instruction ID: ae422dd33d8fc520d35fec1d59de18ccfbcffe73b1bcc9c155a84355ba57f1b2
                                        • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                        • Instruction Fuzzy Hash: F603B13090529CDFDF11CFA4C890BECBBB1AF25318F14409AE44967A91DB785B89DF62
                                        APIs
                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C170279
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C170283
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C170290
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                        • String ID:
                                        • API String ID: 3906539128-0
                                        • Opcode ID: 39659a7d5bf3efefacf75f92d0cb2815eda43fd54a4b24a595fc2a20682e9fb0
                                        • Instruction ID: 7d80213716cdd4d5f56a6052c1fd01e00043915279ba250e1bf887d6d370ec45
                                        • Opcode Fuzzy Hash: 39659a7d5bf3efefacf75f92d0cb2815eda43fd54a4b24a595fc2a20682e9fb0
                                        • Instruction Fuzzy Hash: 7231C4B590131C9BCB21DF29D8887DDBBB4BF18314F5041DAE81DA7650EB709B858F54
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,?,6C16F235,6C169C49,00000003,00000000,6C169C49,00000000), ref: 6C16F19F
                                        • TerminateProcess.KERNEL32(00000000,?,6C16F235,6C169C49,00000003,00000000,6C169C49,00000000), ref: 6C16F1A6
                                        • ExitProcess.KERNEL32 ref: 6C16F1B8
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Process$CurrentExitTerminate
                                        • String ID:
                                        • API String ID: 1703294689-0
                                        • Opcode ID: 03592b08a5449a7178060d7cad57d800a1ac13bc37de6b445d7d6aac885326f9
                                        • Instruction ID: e7d0efdebe606ade0571c81ab19dfb133cdae66489f06045a854108c1cf0fc38
                                        • Opcode Fuzzy Hash: 03592b08a5449a7178060d7cad57d800a1ac13bc37de6b445d7d6aac885326f9
                                        • Instruction Fuzzy Hash: 59E0EC32101108EFCF126F56C918B893FB9FF57296F114414F829C6A21CB35DD95DB90
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: x=J
                                        • API String ID: 3519838083-1497497802
                                        • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction ID: c3d46032d7375346696f78e58cfd8137b470ced692982a8453df8782d4d4d7c8
                                        • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                        • Instruction Fuzzy Hash: 11911531D011099FDF04DFA4C8A0AEDF776FF1631CF24806AD46A67A50DB369A89CB91
                                        APIs
                                        • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C1678B0
                                        • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C1680D3
                                          • Part of subcall function 6C169379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C1680BC,00000000,?,?,?,6C1680BC,?,6C19554C), ref: 6C1693D9
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                        • String ID:
                                        • API String ID: 915016180-0
                                        • Opcode ID: 762b826a908f3bac949b04d5bb47eab68cdc17027f4fdaa226c55afb6d1a2040
                                        • Instruction ID: d381fbf22ff0c5301340e0e02d18ec99869cef536edde0faa83afcdfa6372ca3
                                        • Opcode Fuzzy Hash: 762b826a908f3bac949b04d5bb47eab68cdc17027f4fdaa226c55afb6d1a2040
                                        • Instruction Fuzzy Hash: 2AB18E75E042099FDB05CF56C8996ADBBB4FB4A318F24C22AD816E7A80D374D954CFA0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @4J$DsL
                                        • API String ID: 0-2004129199
                                        • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction ID: 4ee1f9065fc02a94535785d65a14100c36263a979efef8a6b03109e7730a6e45
                                        • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                        • Instruction Fuzzy Hash: 7A218F376A49560BD74CCA28DC33EB92681E744305B89627EED4BCB3E1DE5C8800C648
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1B540F
                                          • Part of subcall function 6C1B6137: __EH_prolog.LIBCMT ref: 6C1B613C
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                        • Instruction ID: 2a307740f033fb1dacc9fb4f4daacb382aed43d5f192d3206975a1bd075d755f
                                        • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                        • Instruction Fuzzy Hash: 51626871900259CFDF15CFA4C894BEEBBB5BF18308F24416AE819BBA80D7749A45CF90
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: YA1
                                        • API String ID: 0-613462611
                                        • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                        • Instruction ID: 5406c9b0b69eb0bb35c79f69315a1a4d52403e1c32c9584bcfcafbb05d7e2a81
                                        • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                        • Instruction Fuzzy Hash: 5A42B27170A3858FC315CF28C49069AFBE2BFD9308F15496EE8D58B742D671D946CB82
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aullrem
                                        • String ID:
                                        • API String ID: 3758378126-0
                                        • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction ID: a1c91ff14be72d0742d6b4c22b841e8159cef527d9970253f87263f7934048c2
                                        • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                        • Instruction Fuzzy Hash: 6751E972A052859BD710CF9AC4C02EDFBE6EF7A214F14C05DE8C897242D27A599BC760
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID: 0-3916222277
                                        • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                        • Instruction ID: f73e5f2a1d45294825c4ba49994f16f38008dfcf00d012dca32709447e6df81e
                                        • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                        • Instruction Fuzzy Hash: 96029A3160C385CBD325CF29C49079EBBE2AFC9318F144A2DEAC597B51C7759949CB82
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (SL
                                        • API String ID: 0-669240678
                                        • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction ID: fd19f14ee3e5b1be47f341cbd9dfc087195c3a00d17d5eef6120d2d6d0311336
                                        • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                        • Instruction Fuzzy Hash: B9519473E208314AD78CCE24DC2177572D2E784310F8BC1B99D8BAB6E6CD78989187D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: xU&l
                                        • API String ID: 0-1650595171
                                        • Opcode ID: 47dbc8a1d4ce8aea1a67dbfaee97188823b8d68967ae3daa558e9d0cb0f138a5
                                        • Instruction ID: 5e507bcaea4c3fdf0ed4b50846616246b380038bca993513646b10a42f3bfc1b
                                        • Opcode Fuzzy Hash: 47dbc8a1d4ce8aea1a67dbfaee97188823b8d68967ae3daa558e9d0cb0f138a5
                                        • Instruction Fuzzy Hash: 89F0E532A10324DBCB22DB4DC505B8973BDEB45B65F1100A6E404DB641C7B0DE40CBE0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                        • Instruction ID: 02e53dea8e0f15ab3fa6f302ac9e64ff0692c37b11aa398619c2386e5dd033e2
                                        • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                        • Instruction Fuzzy Hash: 21524F31608B898BD329CF29C49066AB7E2BF95308F148A2DD9DAC7F41DB74F855CB41
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction ID: d36415c1d0e3d445b69da5770cda916ea60cf9475d911c4d661d15c6bd4bf9de
                                        • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                        • Instruction Fuzzy Hash: 4B62F2B5A08349CFC714CF19C58091ABBE5BFC8745F248A2EF89987B14D778E845CB52
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                        • Instruction ID: 226d468b648c911301f37fc1870539f12d8bab1aa02b4a1d7474301dbe61640e
                                        • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                        • Instruction Fuzzy Hash: 4312907120974A8FC718CF69C49066ABBE2BFC8348F64492DEADA87F41D731E845CB41
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction ID: c6eae4991a9f193befa084d1bda4cca95bd077d000676d32a8fabe1add3f9a85
                                        • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                        • Instruction Fuzzy Hash: 7F021832A083158BD31ACE2CC490269BBF6FBC4355F154B2EFC96D7A94D7789844CB92
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                        • Instruction ID: 110594e27c8a208ecb1cc0ca2949626d348cd894a04cf3aafc80a016c69eb527
                                        • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                        • Instruction Fuzzy Hash: 80F1F1327442898BEB24CE28D8507EEB7E2FBC5314F58453ADC89CBB41DB35954ACB91
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                        • Instruction ID: 60ce875ff9715bacd4f4c75510339b7afa9828283a0dcaffe3d9298db80a5190
                                        • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                        • Instruction Fuzzy Hash: 7CD1017150871A8FD319CF1CC4A4636BBE1EF86305F064A7DEAB28BB9AD7349505CB40
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction ID: c40050ed2b29d5661e560d78df70d3f7ee104671e514592a30dcde464c7eb56d
                                        • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                        • Instruction Fuzzy Hash: F3C106752087458BC318CE3DD0A4697BBE2EFDA304F148A6DD9CA8BF55DA30A40ECB55
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction ID: 98129ed4d71ae2a494d165bd12775a097104b2f3a39a85ef102fb51307353f60
                                        • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                        • Instruction Fuzzy Hash: 95B1DF31305B094BD324DE39C8907EBB7E1BF85708F04492ED9EA87B91EF34A5498795
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                        • Instruction ID: 57263d1de261bf7bf0c96e8053aec81187f26856401524c7271e4c7e8691bc0a
                                        • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                        • Instruction Fuzzy Hash: 54B1AD756087068BC304DF29C8806ABF7E2FFD8304F14892DE999C7711E771A59ACB96
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                        • Instruction ID: 1d56b90e1515452a7931fef8788716c3be33138a8698892f8adad5c892b33446
                                        • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                        • Instruction Fuzzy Hash: C1A1F77160C3458FC315DF29C49069ABBE1AFD9308F584A2DF9DAC7B40D631EA5ACB42
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                        • Instruction ID: 14b32a64df0bcd293e28692756b75fcc423e153b917f696dc1185f4eb5d2bd23
                                        • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                        • Instruction Fuzzy Hash: B481D335A087068FC320DF29C080246B7E1FF99704F29C96DD9999BB15E772E947CB81
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction ID: f06343140c4489a5a1caa14e06fc7aaf9a37595620df41ab59627b2d07d20797
                                        • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                        • Instruction Fuzzy Hash: 72518FB2F006099BDB08CE98DAA16ADB7F1EB98304F248169D515F7781D774AA41CF40
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction ID: 7582cad110a897d6030f60462cc5fc13bb7f5c223c2ed3f38b5ce76433596b6e
                                        • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                        • Instruction Fuzzy Hash: 803114277A440103C70CCE3BCC1679F91535BE466A70ECF79AC05EEF55D52CC8164544
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                        • Instruction ID: 82fd6fe14563b513cba1d6f953ecf1933a648fd62d5db317c0d737cbde87b49c
                                        • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                        • Instruction Fuzzy Hash: 5F219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                        • Instruction ID: 586d1611c2944f6ff8ec719a6ba5b5ee99bb7d24fa36e45ac37272567eb03e25
                                        • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                        • Instruction Fuzzy Hash: 10E08C72A12238EBCB25EB88CA00E8AB3ECEB48B45F210096B501D3610D270DE04C7E0
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                        • Instruction ID: 0ac7678a75ce2e63ffd32215bc481eafa9b301a584c0df26a37375d5a2789853
                                        • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                        • Instruction Fuzzy Hash: D9C08CE312810057C702EA2599C0BAAF7A37360330F228C2EA0A2F7E43C328C0648111
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                        • API String ID: 3519838083-609671
                                        • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction ID: b9af47bec1ed35215598a9ddeeb01b926eb6adad92fef66eac0e2c9dc8f7092b
                                        • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                        • Instruction Fuzzy Hash: 81D1D131B04209DFCB11CFA4D991BEEB7B5FF25308F244059F055A3A50DB78AA08CBA2
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv$H_prolog
                                        • String ID: >WJ$x$x
                                        • API String ID: 2300968129-3162267903
                                        • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction ID: 471d2e47f70a81919cf91afa81f08ff5531db91a2ac0d2913c487f313e138e5f
                                        • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                        • Instruction Fuzzy Hash: 5512677190021DEFDF18DFA4C980AEDBBB5BF28318F248169E919BB650CB359945CF50
                                        APIs
                                        • _ValidateLocalCookies.LIBCMT ref: 6C169B07
                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 6C169B0F
                                        • _ValidateLocalCookies.LIBCMT ref: 6C169B98
                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 6C169BC3
                                        • _ValidateLocalCookies.LIBCMT ref: 6C169C18
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                        • String ID: csm
                                        • API String ID: 1170836740-1018135373
                                        • Opcode ID: 1e994e09929bb42ddec72a6bea6b23f724bb039f2eb8e3dbb64aca8e7357b0ba
                                        • Instruction ID: b4e9847f7c4103a67ceed1446b383dc70b12d81261803f1734472701bd025b46
                                        • Opcode Fuzzy Hash: 1e994e09929bb42ddec72a6bea6b23f724bb039f2eb8e3dbb64aca8e7357b0ba
                                        • Instruction Fuzzy Hash: AF41CF34A112189BCF00DF6AC8A4B9E7BB5BF46328F248155E8149BF91D735DA25CFA0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: api-ms-$ext-ms-
                                        • API String ID: 0-537541572
                                        • Opcode ID: 5f59daaa7e12f37cea1f1b06bb2c4ee40a27fb1762432486da01b7a434977dcc
                                        • Instruction ID: ec7a78ed77cc2d5359a946ce81f0bf0a8cce925e597c0029b4c5c2ceb2767ddc
                                        • Opcode Fuzzy Hash: 5f59daaa7e12f37cea1f1b06bb2c4ee40a27fb1762432486da01b7a434977dcc
                                        • Instruction Fuzzy Hash: B521EE32A1A219AFDB318B29CC54B0F3B649F17768F2606D1E825F7A80DB30DD0085F0
                                        APIs
                                        • GetConsoleCP.KERNEL32(?,6C17B0D0,?), ref: 6C17BEF9
                                        • __fassign.LIBCMT ref: 6C17C0D8
                                        • __fassign.LIBCMT ref: 6C17C0F5
                                        • WriteFile.KERNEL32(?,6C185AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C17C13D
                                        • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C17C17D
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C17C229
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: FileWrite__fassign$ConsoleErrorLast
                                        • String ID:
                                        • API String ID: 4031098158-0
                                        • Opcode ID: 06ce2418d600c451a6b862ed5967815e6c1aeddf87e4d977f03e9347d1f59e57
                                        • Instruction ID: b4cb1aab28f0492a15f3b592c120777a13b57c572da75c2717811ca60fc4acf1
                                        • Opcode Fuzzy Hash: 06ce2418d600c451a6b862ed5967815e6c1aeddf87e4d977f03e9347d1f59e57
                                        • Instruction Fuzzy Hash: 4FD1AC75E012489FCF21DFE8C890AEDBBB5BF49314F24416AE855BB242D731A946CF60
                                        APIs
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C032F95
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C032FAF
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C032FD0
                                        • __Getctype.LIBCPMT ref: 6C033084
                                        • std::_Facet_Register.LIBCPMT ref: 6C03309C
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0330B7
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                        • String ID:
                                        • API String ID: 1102183713-0
                                        • Opcode ID: 6dee1a0e99ac83b0143fe7dadba8716b373804e15c4fbb9d03b2407b69ef199b
                                        • Instruction ID: b760842003ef29dd9c694e99bf037d2fb489ea839c017e03234616a22a521751
                                        • Opcode Fuzzy Hash: 6dee1a0e99ac83b0143fe7dadba8716b373804e15c4fbb9d03b2407b69ef199b
                                        • Instruction Fuzzy Hash: 11415871E002298FCB10CF86C864BAEB7F0FB49714F058129D859ABB90D735A945CFE0
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv$__aullrem
                                        • String ID:
                                        • API String ID: 2022606265-0
                                        • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction ID: 980c2aa9b7b60f6f01f566c5f5c6182cdaa9a688c21477cdce5096516a1f9ce7
                                        • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                        • Instruction Fuzzy Hash: 8B21E17490462DFBDF208ED68E40DCF7F79EF51BA8F208226B92461A90D6718D51CAA1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1AA6F1
                                          • Part of subcall function 6C1B9173: __EH_prolog.LIBCMT ref: 6C1B9178
                                        • __EH_prolog.LIBCMT ref: 6C1AA8F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: IJ$WIJ$J
                                        • API String ID: 3519838083-740443243
                                        • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction ID: a98f7eb18c482b1786142761f7f6bee19bf2e32a01398809fe075daf6475b3d6
                                        • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                        • Instruction Fuzzy Hash: 8E71AE34900255DFDB18DFA4C484BEDB7B5BF14308F1080A9D859ABB91CB79AA4ECF91
                                        APIs
                                        • _free.LIBCMT ref: 6C185ADD
                                        • _free.LIBCMT ref: 6C185B06
                                        • SetEndOfFile.KERNEL32(00000000,6C1846EC,00000000,6C17B0D0,?,?,?,?,?,?,?,6C1846EC,6C17B0D0,00000000), ref: 6C185B38
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C1846EC,6C17B0D0,00000000,?,?,?,?,00000000,?), ref: 6C185B54
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFileLast
                                        • String ID: 8Q
                                        • API String ID: 1547350101-4022487301
                                        • Opcode ID: efc15d91400db206b03fb2c45fa8feb48fae8844d214638b1e2fa3fe6fc6a9fd
                                        • Instruction ID: a675ea6def47beebd9b626351842968d25b9109af2d5badca6c79b930ee1ab93
                                        • Opcode Fuzzy Hash: efc15d91400db206b03fb2c45fa8feb48fae8844d214638b1e2fa3fe6fc6a9fd
                                        • Instruction Fuzzy Hash: 2F41E73250A605ABFB019BA9CCC0BDE3BB6EF55328F240141F426E7B90DB38C8044F20
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1BE41D
                                          • Part of subcall function 6C1BEE40: __EH_prolog.LIBCMT ref: 6C1BEE45
                                          • Part of subcall function 6C1BE8EB: __EH_prolog.LIBCMT ref: 6C1BE8F0
                                          • Part of subcall function 6C1BE593: __EH_prolog.LIBCMT ref: 6C1BE598
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: &qB$0aJ$A0$XqB
                                        • API String ID: 3519838083-1326096578
                                        • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction ID: cba3a998ee0622b669978a1ad2804b5dca109f13092d5bf1e8cc65c0e477e5fe
                                        • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                        • Instruction Fuzzy Hash: 76218671D01258EECB08DBE4D994AEDBBB5AF25318F20406AE41677780DB781F0CCB62
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: J$0J$DJ$`J
                                        • API String ID: 3519838083-2453737217
                                        • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                        • Instruction ID: 5c2672b0739af91b2f074c69caccc37212cf2ebe23941b7b8616e5e1439addf7
                                        • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                        • Instruction Fuzzy Hash: B011B0B0900B648FC7209F5AC45469AFBE4BFA5708B10C95FC4AA97B50C7F8A509CB99
                                        APIs
                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C16F1B4,00000000,?,6C16F235,6C169C49,00000003,00000000), ref: 6C16F13F
                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C16F152
                                        • FreeLibrary.KERNEL32(00000000,?,?,6C16F1B4,00000000,?,6C16F235,6C169C49,00000003,00000000), ref: 6C16F175
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: AddressFreeHandleLibraryModuleProc
                                        • String ID: CorExitProcess$mscoree.dll
                                        • API String ID: 4061214504-1276376045
                                        • Opcode ID: fe926a97b7b2a70e59522f55570393399a39bf2e1726c2a68da2d1a281d49313
                                        • Instruction ID: bfd003bb0e66ba72697e2e7723a300d4526e8054c3bb0d785a74b2b669aebca2
                                        • Opcode Fuzzy Hash: fe926a97b7b2a70e59522f55570393399a39bf2e1726c2a68da2d1a281d49313
                                        • Instruction Fuzzy Hash: 77F01C31601519FBDF029F92C90DB9E7A79EB067AAF214064F826A2550CB708E10EA91
                                        APIs
                                        • __EH_prolog3.LIBCMT ref: 6C16732E
                                        • std::_Lockit::_Lockit.LIBCPMT ref: 6C167339
                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 6C1673A7
                                          • Part of subcall function 6C167230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C167248
                                        • std::locale::_Setgloballocale.LIBCPMT ref: 6C167354
                                        • _Yarn.LIBCPMT ref: 6C16736A
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                        • String ID:
                                        • API String ID: 1088826258-0
                                        • Opcode ID: 3b6e47d8b99a7b426f169f07a273df7047b30f9dbec49847af42f47dbc99bee3
                                        • Instruction ID: 39f3c951b6ce12469f6feda033472cda66e7465944e299b869f04cbcd3e0b746
                                        • Opcode Fuzzy Hash: 3b6e47d8b99a7b426f169f07a273df7047b30f9dbec49847af42f47dbc99bee3
                                        • Instruction Fuzzy Hash: FA01DF75A002108BDB06DF22C858ABC77B1FF96304B15804ADC0297BC0CF34AA6ACFE1
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $!$@
                                        • API String ID: 3519838083-2517134481
                                        • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction ID: adb3246fe3c82fdb962d3cc4a0eede5cb150005512dcf6a57001e82097ec5603
                                        • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                        • Instruction Fuzzy Hash: 4A126C74A0564DDFDB04CFA4C490ADDBBB1BF09308F24846AE945EBB52DB34E945CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog__aulldiv
                                        • String ID: $SJ
                                        • API String ID: 4125985754-3948962906
                                        • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction ID: dc81c77298643bdeed03874748cf812d7f4539b83ec912e0fc2e4c54657c456a
                                        • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                        • Instruction Fuzzy Hash: CFB13BB1E00209DFCB14CF99C9949AEBBB1FF58314B60852EE419B7B50D734AA49CF50
                                        APIs
                                          • Part of subcall function 6C167327: __EH_prolog3.LIBCMT ref: 6C16732E
                                          • Part of subcall function 6C167327: std::_Lockit::_Lockit.LIBCPMT ref: 6C167339
                                          • Part of subcall function 6C167327: std::locale::_Setgloballocale.LIBCPMT ref: 6C167354
                                          • Part of subcall function 6C167327: _Yarn.LIBCPMT ref: 6C16736A
                                          • Part of subcall function 6C167327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C1673A7
                                          • Part of subcall function 6C032F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C032F95
                                          • Part of subcall function 6C032F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C032FAF
                                          • Part of subcall function 6C032F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C032FD0
                                          • Part of subcall function 6C032F60: __Getctype.LIBCPMT ref: 6C033084
                                          • Part of subcall function 6C032F60: std::_Facet_Register.LIBCPMT ref: 6C03309C
                                          • Part of subcall function 6C032F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0330B7
                                        • std::ios_base::_Addstd.LIBCPMT ref: 6C03211B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                        • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                        • API String ID: 3332196525-1866435925
                                        • Opcode ID: c4e335b18c07bbb31d31e6bb72535bf2f0ac2bd7203721199aa83c55ee3d8f86
                                        • Instruction ID: 586c4024c1f8dc90e8ac96e6d0cbe0e70f73480210fe4f4ea7e93ebedbc04967
                                        • Opcode Fuzzy Hash: c4e335b18c07bbb31d31e6bb72535bf2f0ac2bd7203721199aa83c55ee3d8f86
                                        • Instruction Fuzzy Hash: 6241B2B0A0031A9FDB00CF64C8457AEBBF0FF49318F149268E919AB791D775A985CBD0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $CK$CK
                                        • API String ID: 3519838083-2957773085
                                        • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                        • Instruction ID: bc03c80c8da9eecf494504070aa4b9812f67d9c5822d8752e336a70cb2435e63
                                        • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                        • Instruction Fuzzy Hash: BE219274E016098BDB08DFE9C4902EEF7B6FFA4304F54466AC516F3B91C7745A068E61
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0$LrJ$x
                                        • API String ID: 3519838083-658305261
                                        • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                        • Instruction ID: 3b500785272295773945452296dccb62d872efc933d97a0e9ecdee1c1d809604
                                        • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                        • Instruction Fuzzy Hash: F0213B36D421199FCF04DBD8C9A0BEDB7B5EFA9308F20005AE41577640DB795E49CBA2
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1C4ECC
                                          • Part of subcall function 6C1AF58A: __EH_prolog.LIBCMT ref: 6C1AF58F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :hJ$dJ$xJ
                                        • API String ID: 3519838083-2437443688
                                        • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction ID: 59ae7b2131fc9c6f3f115e5c4c030e884094e3184c783941ab82bb8c00efdfdf
                                        • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                        • Instruction Fuzzy Hash: 0D21D8B0801B50CFC760DF6AC14429ABBF4BF2A708B00C95EC0AA97B11D7B8A608CF55
                                        APIs
                                        • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C17B0D0,6C031DEA,00008000,6C17B0D0,?,?,?,6C17AC7F,6C17B0D0,?,00000000,6C031DEA), ref: 6C17ADC9
                                        • GetLastError.KERNEL32(?,?,?,6C17AC7F,6C17B0D0,?,00000000,6C031DEA,?,6C18469E,6C17B0D0,000000FF,000000FF,00000002,00008000,6C17B0D0), ref: 6C17ADD3
                                        • __dosmaperr.LIBCMT ref: 6C17ADDA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorFileLastPointer__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 2336955059-4022487301
                                        • Opcode ID: 23359a250ec1d28d2ba24b95c8fce2ce5d87a6b75c32919de9464b2b5b9f822d
                                        • Instruction ID: 5793322fcbc905db012fba7f23085146b750b2326e4c085138d0442a877c7d16
                                        • Opcode Fuzzy Hash: 23359a250ec1d28d2ba24b95c8fce2ce5d87a6b75c32919de9464b2b5b9f822d
                                        • Instruction Fuzzy Hash: 2301D433714515AFCF158F6ACC05A9E3B29EB86325B350208F8229B680EA71DD118BA0
                                        APIs
                                        • AcquireSRWLockExclusive.KERNEL32(6C26466C,?,652EF5AA,6C03230E,6C26430C), ref: 6C166B07
                                        • ReleaseSRWLockExclusive.KERNEL32(6C26466C), ref: 6C166B3A
                                        • WakeAllConditionVariable.KERNEL32(6C264668), ref: 6C166B45
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                        • String ID: lF&l
                                        • API String ID: 1466638765-2742667394
                                        • Opcode ID: c347391972ac8fcce3dd535381ad80a4f69f8ba2bd7dea6cf094ead048dc6ecc
                                        • Instruction ID: 7a37e3e6b4a2481280797605af3c7af01cadc9f9688dce14e7489ae885daac1c
                                        • Opcode Fuzzy Hash: c347391972ac8fcce3dd535381ad80a4f69f8ba2bd7dea6cf094ead048dc6ecc
                                        • Instruction Fuzzy Hash: 1AF039B8A01504DFCB05EF5AE858DA4BBB8FB4B351B01806AFD0687740CB70A801CFB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: <J$DJ$HJ$TJ$]
                                        • API String ID: 0-686860805
                                        • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                        • Instruction ID: 0c563af479b35e2e247e90744de1733dd8a98198d32f909d92def410a44ccbb0
                                        • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                        • Instruction Fuzzy Hash: 1D416071C05289AFDF14DBA1D4D0AEEB770AF21308B608169E16277E60EB39A64DCF11
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID:
                                        • API String ID: 3732870572-0
                                        • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                        • Instruction ID: 472497a8a7d810291be021ff8e45c55b01e37c182b97f9644b64c0ea44dc3db9
                                        • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                        • Instruction Fuzzy Hash: AA1193B620020CBFEB254BA4CD44EAF7BBDEFD5B44F10841DF54566A60CA71AC149B20
                                        APIs
                                        • GetLastError.KERNEL32(00000008,?,00000000,6C178453), ref: 6C1749B7
                                        • _free.LIBCMT ref: 6C174A14
                                        • _free.LIBCMT ref: 6C174A4A
                                        • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C174A55
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast_free
                                        • String ID:
                                        • API String ID: 2283115069-0
                                        • Opcode ID: ebec04221c71c1aa3dc293c4ff961ef8d792d63da997ad3ccf1a8ea2ecc03bbd
                                        • Instruction ID: 5ad97820227f7073c0e708f302a9be9cde1648efbe9ad3784d369b8190c00a88
                                        • Opcode Fuzzy Hash: ebec04221c71c1aa3dc293c4ff961ef8d792d63da997ad3ccf1a8ea2ecc03bbd
                                        • Instruction Fuzzy Hash: 2811A7323051046BDE3159B94C88E6A2269ABC737CB360625F53593BC0DF718C098D78
                                        APIs
                                        • WriteConsoleW.KERNEL32(00000000,?,6C1846EC,00000000,00000000,?,6C184B51,00000000,00000001,00000000,6C17B0D0,?,6C17C286,?,?,6C17B0D0), ref: 6C185ED1
                                        • GetLastError.KERNEL32(?,6C184B51,00000000,00000001,00000000,6C17B0D0,?,6C17C286,?,?,6C17B0D0,?,6C17B0D0,?,6C17BD1C,6C185AB6), ref: 6C185EDD
                                          • Part of subcall function 6C185F2E: CloseHandle.KERNEL32(FFFFFFFE,6C185EED,?,6C184B51,00000000,00000001,00000000,6C17B0D0,?,6C17C286,?,?,6C17B0D0,?,6C17B0D0), ref: 6C185F3E
                                        • ___initconout.LIBCMT ref: 6C185EED
                                          • Part of subcall function 6C185F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C185EAB,6C184B3E,6C17B0D0,?,6C17C286,?,?,6C17B0D0,?), ref: 6C185F22
                                        • WriteConsoleW.KERNEL32(00000000,?,6C1846EC,00000000,?,6C184B51,00000000,00000001,00000000,6C17B0D0,?,6C17C286,?,?,6C17B0D0,?), ref: 6C185F02
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                        • String ID:
                                        • API String ID: 2744216297-0
                                        • Opcode ID: 8fa5df59938979cd15ad00042b7dac132fbc6fe04176bc0e2639abc78ff802ce
                                        • Instruction ID: 495fdb7eb5bf5a88be830aa6a99650d18956b369c4ffbfcd24cf2ac101a282b8
                                        • Opcode Fuzzy Hash: 8fa5df59938979cd15ad00042b7dac132fbc6fe04176bc0e2639abc78ff802ce
                                        • Instruction Fuzzy Hash: 84F0C737505115BBDF121FA6DC089993F76FF067A5B044550FE1995560CB328820EFD0
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C19E077
                                          • Part of subcall function 6C19DFF5: __EH_prolog.LIBCMT ref: 6C19DFFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: :$\
                                        • API String ID: 3519838083-1166558509
                                        • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                        • Instruction ID: de96cea3729257fae589ea13856b47688738d5c2d7316ff0c66abf6349956a2c
                                        • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                        • Instruction Fuzzy Hash: 28E1B030900209DADF11DFA8C890BEDB7B1BF2631CF14811DE85667B90EB75A749CB92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog__aullrem
                                        • String ID: d%K
                                        • API String ID: 3415659256-3110269457
                                        • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                        • Instruction ID: d676a29c0d4bf33280229a0744371dc128929f53f036c934e8ec4f9b9b2f0304
                                        • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                        • Instruction Fuzzy Hash: BB81C272A00A09DFDF00CF54C894BDEBBF5AF59348F248059E859EB641D775D909CBA0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog3_
                                        • String ID: 8Q
                                        • API String ID: 2427045233-4022487301
                                        • Opcode ID: a2f36ffef26a892b41aec89094db427f8523cbcc1724647af4eca194f0cbb431
                                        • Instruction ID: 5a610d3a32238c5c4327425290c76244b4659e385c06321d6a3475ab47fe299d
                                        • Opcode Fuzzy Hash: a2f36ffef26a892b41aec89094db427f8523cbcc1724647af4eca194f0cbb431
                                        • Instruction Fuzzy Hash: 4B71A371D052169FDB318F96C880BEE7BB5AF55318FA48229E82067E80DF758947CB70
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$hfJ
                                        • API String ID: 3519838083-1391159562
                                        • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                        • Instruction ID: 26bd7958640c9ab049f95ca5846f071d5725ead9e49da328457a2724fc45d360
                                        • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                        • Instruction Fuzzy Hash: 1B913C70A10248DFCB10DFA9C884ADEFBF4BF28308F94451EF556A7A50D774AA49CB11
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 6C1B8C5D
                                          • Part of subcall function 6C1B761A: __EH_prolog.LIBCMT ref: 6C1B761F
                                          • Part of subcall function 6C1B7A2E: __EH_prolog.LIBCMT ref: 6C1B7A33
                                          • Part of subcall function 6C1B8EA5: __EH_prolog.LIBCMT ref: 6C1B8EAA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: WZJ
                                        • API String ID: 3519838083-1089469559
                                        • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction ID: 58621775bd4814ea87e4634ec037c62bf2dc7a6f0e370636502f09280c3a89be
                                        • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                        • Instruction Fuzzy Hash: 67817835D00159DFDB15DFA8D890BDDB7B4AF19318F20409AE416B7BA0DB34AA09CF61
                                        APIs
                                        • ___std_exception_destroy.LIBVCRUNTIME ref: 6C032A76
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ___std_exception_destroy
                                        • String ID: Jbx$Jbx
                                        • API String ID: 4194217158-1161259238
                                        • Opcode ID: 24a26f3acb059ed46236c297f13bed71a707aa1cf5e267029520b58a199fd243
                                        • Instruction ID: be477f2d7df27737c0b7dea63d6dbfe30276acf60d1bfd3145e4abe683e26f4b
                                        • Opcode Fuzzy Hash: 24a26f3acb059ed46236c297f13bed71a707aa1cf5e267029520b58a199fd243
                                        • Instruction Fuzzy Hash: BA5123B19002059FCB10CF69C884B9EBBF5EF89314F10846EE8499BB42D335E995CBD2
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: <dJ$Q
                                        • API String ID: 3519838083-2252229148
                                        • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                        • Instruction ID: 6e7d3c573a714ac3828457796d3b7376f57185af7839fbc0933fd44570f61c0b
                                        • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                        • Instruction Fuzzy Hash: C15181B1A04249EFCF00DFD8C8909EDB7B1BF55358F10851EF516AB650D7399A49CB12
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: $D^J
                                        • API String ID: 3519838083-3977321784
                                        • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                        • Instruction ID: 7fa6eafd48ec98e58d1a172c51b396cca949ad7c70f8c3ef18948e628ce94633
                                        • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                        • Instruction Fuzzy Hash: B1416B60E045906ED722DF3AC4D0BECBBA29F26308F188158C49667FC5DBB4598BCF90
                                        APIs
                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C1846D6), ref: 6C17D01B
                                        • __dosmaperr.LIBCMT ref: 6C17D022
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ErrorLast__dosmaperr
                                        • String ID: 8Q
                                        • API String ID: 1659562826-4022487301
                                        • Opcode ID: c14c5f33b27b218701a954a94ab3e730b0b3dcb615ce56c251c7be87f0cb26f8
                                        • Instruction ID: d2e7cb2f7036843b40a7286fe23a6f3889cd11b643f51f5aa18065dca350ec2d
                                        • Opcode Fuzzy Hash: c14c5f33b27b218701a954a94ab3e730b0b3dcb615ce56c251c7be87f0cb26f8
                                        • Instruction Fuzzy Hash: A341A931604198AFD731AF2DC8A0BA97FE0EF46304F248299E8808B642D3719D12C7B0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: X&L$p|J
                                        • API String ID: 3519838083-2944591232
                                        • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                        • Instruction ID: e24a43578ee59fe1c27bf943390f89f3c5c4b6d304d3ffaf0216c4e82156f2e4
                                        • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                        • Instruction Fuzzy Hash: 76313EB5A95105CBD7109B5CDD01FEE7771EB32728F130226D512A6EE0CB60B589CA51
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: 0|J$`)L
                                        • API String ID: 3519838083-117937767
                                        • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction ID: a3dd5dce47430b4d52f6d5ea962c68b9b60fddad2412c9d6ab785174cd100ba0
                                        • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                        • Instruction Fuzzy Hash: 37419071605B85EFDB118F64C4A0BEABBE2FF55208F01442EE45A97750CB357909CB92
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: __aulldiv
                                        • String ID: 3333
                                        • API String ID: 3732870572-2924271548
                                        • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                        • Instruction ID: f631717390c0a15f6601f6e62b524a40eac0f5b0e83dd8944a9884acc02ca540
                                        • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                        • Instruction Fuzzy Hash: E62158B1900748AED7308FA98980B6BBBFDEB54B54F10891FA146D7B40D770E9448B65
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: _free
                                        • String ID: dU&l$hU&l
                                        • API String ID: 269201875-241561095
                                        • Opcode ID: f66853145b4581f96f089f0c2d514841fe23822ecabe7f6351488bebe6ac645b
                                        • Instruction ID: f713e14429265d763a591727582589889430413bd4afb8ef3442d0e0401a4752
                                        • Opcode Fuzzy Hash: f66853145b4581f96f089f0c2d514841fe23822ecabe7f6351488bebe6ac645b
                                        • Instruction Fuzzy Hash: 3F1193712043019BE7208F6AD495B82B7E4EB15358F30442FE499D7F80EB71E9868BB0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$LuJ
                                        • API String ID: 3519838083-205571748
                                        • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction ID: 6779f2cb157e26dc4f17bbf9527aa2e98c58c6b3c6f8de7c1c1ae427de066c20
                                        • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                        • Instruction Fuzzy Hash: F50184B1E01349DADB14DFE988906AEF7B4FF65304F81842EE569E3A40C3746905CB59
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID: @$xMJ
                                        • API String ID: 3519838083-951924499
                                        • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                        • Instruction ID: 98a18e1743387d2b246b10ba32469548beb916c01d937d6320e3bf9099b0497b
                                        • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                        • Instruction Fuzzy Hash: CF117C75A00309DBCB00DFD9C4A059EB7B4FF59348B50C42ED469E7700D3399A06CB95
                                        APIs
                                        • _free.LIBCMT ref: 6C17DD49
                                        • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C17A63A,?,00000004,?,4B42FCB6,?,?,6C16F78C,4B42FCB6,?), ref: 6C17DD85
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: AllocHeap_free
                                        • String ID: 8Q
                                        • API String ID: 1080816511-4022487301
                                        • Opcode ID: 86c7428a64efb91e8972a1227cf3f6d56d9660bd3dc7ab9aebdf0103cafb9a1b
                                        • Instruction ID: 8a71dada1e258171a0a5fac8b5eba6551b6369f53488c88decb7c6cc5252b4d0
                                        • Opcode Fuzzy Hash: 86c7428a64efb91e8972a1227cf3f6d56d9660bd3dc7ab9aebdf0103cafb9a1b
                                        • Instruction Fuzzy Hash: 4DF0C23220120D6ADB312A67DD44B9A3B689F93BB8B224125E9249BED0DF24C401C5F0
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prologctype
                                        • String ID: |zJ
                                        • API String ID: 3037903784-3782439380
                                        • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                        • Instruction ID: 2ac14493cb4196faffc69955922cdffe02d363b6fc64b278140def989b39499b
                                        • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                        • Instruction Fuzzy Hash: 26E06572616520DBE7158F49D8107EDF3B8FF54B15F52401F9416A7A41CBB5B806C781
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: H_prologctype
                                        • String ID: <oJ
                                        • API String ID: 3037903784-2791053824
                                        • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                        • Instruction ID: f9494cb93bcc508036b18e8029d74f0d0752a36f64ff099fe2f386ec46cd4f9b
                                        • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                        • Instruction Fuzzy Hash: FAE06D32B155209FDB059F49D820BEEF7A8EF66B24F11011FE025A7B51CBB5A8108686
                                        APIs
                                        • AcquireSRWLockExclusive.KERNEL32(6C26466C,?,?,652EF5AA,6C0322D8,6C26430C), ref: 6C166AB9
                                        • ReleaseSRWLockExclusive.KERNEL32(6C26466C), ref: 6C166AF3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1952721422.000000006BFE1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BFE0000, based on PE: true
                                        • Associated: 00000006.00000002.1952699495.000000006BFE0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953902363.000000006C188000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1955389243.000000006C352000.00000002.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID: ExclusiveLock$AcquireRelease
                                        • String ID: lF&l
                                        • API String ID: 17069307-2742667394
                                        • Opcode ID: 9cb45ed7e234b41914b910ab7dedd47f276245fbc7947b357a91af9e3f4f7fb4
                                        • Instruction ID: b0499250aa128eda1ed64a2b8d01a33906fe904d77c6a82df674cd066fdc57c0
                                        • Opcode Fuzzy Hash: 9cb45ed7e234b41914b910ab7dedd47f276245fbc7947b357a91af9e3f4f7fb4
                                        • Instruction Fuzzy Hash: CBF0A735240508DBC710DF1AD404A65B7B4FB47335F15822DE8A583FD0C7341852CA62
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: @ K$DJ$T)K$X/K
                                        • API String ID: 0-3815299647
                                        • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                        • Instruction ID: ff9711c287737129bac42ad3da2a91076e6cb7f088b2bec9e928b339d0c2bed7
                                        • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                        • Instruction Fuzzy Hash: 7891D0346053059BCB04DFA4C4A07EEB3F2AF5130CF148919C87A5BB85DBBAA94BCB51
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1953974606.000000006C198000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C198000, based on PE: true
                                        • Associated: 00000006.00000002.1954573139.000000006C263000.00000004.00000001.01000000.00000009.sdmpDownload File
                                        • Associated: 00000006.00000002.1954604063.000000006C269000.00000020.00000001.01000000.00000009.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_6bfe0000_#U5b89#U88c5#U52a9#U624b_2.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: D)K$H)K$P)K$T)K
                                        • API String ID: 0-2262112463
                                        • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                        • Instruction ID: c09d8e90e74499ab6410acbd19ffc8966bb1c425b9ce8750829c5703b1a0d383
                                        • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                        • Instruction Fuzzy Hash: 5D51E33090420A9FDF01CF94D950BEEB7F5EF1531CF10445AE82967A80DB79995ACB91

                                        Execution Graph

                                        Execution Coverage:4%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:0.4%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:35
                                        execution_graph 73228 2ca42c 73229 2ca449 73228->73229 73230 2ca435 fputs 73228->73230 73387 2c545d 73229->73387 73386 291fa0 fputc 73230->73386 73237 2ca4c9 73456 291e40 free 73237->73456 73239 2ca4d8 73240 2ca4ee 73239->73240 73457 2cc7d7 73239->73457 73242 2ca50e 73240->73242 73465 2c57fb 73240->73465 73475 2cc73e 73242->73475 73247 2cac17 73664 2c2db9 free ctype 73247->73664 73251 2cac23 73253 2cac3a 73251->73253 73255 2cac35 73251->73255 73252 2ca54d 73498 292fec 73252->73498 73666 2cb96d _CxxThrowException 73253->73666 73665 2cb988 33 API calls __aulldiv 73255->73665 73258 2cac42 73667 291e40 free 73258->73667 73261 2cac4d 73668 2b3247 73261->73668 73263 2ca586 73504 2cad06 73263->73504 73268 2cac7d 73675 2911c2 free __EH_prolog ctype 73268->73675 73272 2cac89 73676 2cbe0c free __EH_prolog ctype 73272->73676 73276 2cac98 73677 2c2db9 free ctype 73276->73677 73277 292e04 2 API calls 73279 2ca636 73277->73279 73522 2b4345 73279->73522 73280 2caca4 73283 2ca676 73528 2b2096 73283->73528 73287 2ca66f 73624 2cb96d _CxxThrowException 73287->73624 73288 2ca6e2 73291 2ca722 73288->73291 73625 291fa0 fputc 73288->73625 73290 2cc7d7 ctype 6 API calls 73290->73288 73292 2ca79e 73291->73292 73640 291fa0 fputc 73291->73640 73299 2ca6fa fputs 73364 2caae5 73663 2c2db9 free ctype 73364->73663 73386->73229 73388 2c5466 73387->73388 73389 2c5473 73387->73389 73678 29275e malloc _CxxThrowException free ctype 73388->73678 73391 292e04 73389->73391 73392 291e0c ctype 2 API calls 73391->73392 73393 292e11 73392->73393 73394 2b1858 73393->73394 73395 2b1862 __EH_prolog 73394->73395 73679 2b021a 73395->73679 73400 2b18b9 73693 2b1aa5 free __EH_prolog ctype 73400->73693 73402 2b1935 73704 2b1aa5 free __EH_prolog ctype 73402->73704 73403 2b18c7 73694 2c2db9 free ctype 73403->73694 73407 2b1944 73428 2b1966 73407->73428 73705 2b1d73 5 API calls __EH_prolog 73407->73705 73408 2b18d3 73408->73237 73411 2b1958 _CxxThrowException 73411->73428 73412 2b19be 73712 2bf1f1 malloc _CxxThrowException free _CxxThrowException 73412->73712 73414 292e04 2 API calls 73414->73428 73415 2b18db 73415->73402 73695 2b0144 malloc _CxxThrowException free _CxxThrowException 73415->73695 73696 2d04d2 73415->73696 73702 291524 malloc _CxxThrowException __EH_prolog ctype 73415->73702 73703 291e40 free 73415->73703 73418 2b19d6 73713 2b7ebb 73418->73713 73423 2d04d2 5 API calls 73423->73428 73425 2b7ebb free 73427 2b19f7 73425->73427 73429 2a12d4 4 API calls 73427->73429 73428->73412 73428->73414 73428->73423 73706 29631f 73428->73706 73710 291524 malloc _CxxThrowException __EH_prolog ctype 73428->73710 73711 291e40 free 73428->73711 73438 2b19ff 73429->73438 73431 2b1a4f 73726 291e40 free 73431->73726 73433 291524 malloc _CxxThrowException 73433->73438 73434 2b1a57 73727 2c2db9 free ctype 73434->73727 73436 2b1a64 73728 2c2db9 free ctype 73436->73728 73438->73431 73438->73433 73440 2b1a83 73438->73440 73725 2942e3 CharUpperW 73438->73725 73729 2b1d73 5 API calls __EH_prolog 73440->73729 73442 2b1a97 _CxxThrowException 73443 2b1aa5 __EH_prolog 73442->73443 73730 291e40 free 73443->73730 73445 2b1ac8 73731 2b02e8 free ctype 73445->73731 73447 2b1ad1 73732 2b1eab free __EH_prolog ctype 73447->73732 73449 2b1add 73733 291e40 free 73449->73733 73451 2b1ae5 73734 291e40 free 73451->73734 73453 2b1aed 73735 2c2db9 free ctype 73453->73735 73455 2b1afa 73455->73237 73456->73239 73458 2cc849 73457->73458 73460 2cc7ea 73457->73460 73459 2cc85a 73458->73459 74211 291f91 fflush 73458->74211 73459->73240 73463 2cc7fe fputs 73460->73463 74210 2925cb malloc _CxxThrowException free _CxxThrowException ctype 73460->74210 73463->73458 73466 2c5805 __EH_prolog 73465->73466 73474 2c5847 73466->73474 74212 2926dd 73466->74212 73472 2c583f 74232 291e40 free 73472->74232 73474->73242 73476 2cc748 __EH_prolog 73475->73476 73477 2cc7d7 ctype 6 API calls 73476->73477 73478 2cc75d 73477->73478 74271 291e40 free 73478->74271 73480 2cc768 74272 2b2c0b 73480->74272 73484 2cc77d 74278 291e40 free 73484->74278 73486 2cc785 74279 291e40 free 73486->74279 73488 2cc78d 74280 291e40 free 73488->74280 73490 2cc795 73491 2b2c0b ctype free 73490->73491 73492 2ca51d 73491->73492 73492->73364 73493 291e0c 73492->73493 73494 291e1c malloc 73493->73494 73495 291e15 73493->73495 73496 291e2a _CxxThrowException 73494->73496 73497 291e3e 73494->73497 73495->73494 73496->73497 73497->73252 73622 2cb0fa malloc _CxxThrowException __EH_prolog 73497->73622 73499 292ffc 73498->73499 73500 292ff8 73498->73500 73499->73500 73501 291e0c ctype 2 API calls 73499->73501 73500->73263 73502 293010 73501->73502 74283 291e40 free 73502->74283 74284 2cad29 73504->74284 73507 2cbf3e 73508 292fec 3 API calls 73507->73508 73509 2cbf85 73508->73509 73510 292fec 3 API calls 73509->73510 73511 2ca5ee 73510->73511 73512 2a3a29 73511->73512 73513 2a3a3b 73512->73513 73514 2a3a37 73512->73514 74290 2a3bd9 free ctype 73513->74290 73514->73277 73516 2a3a42 73517 2a3a52 _CxxThrowException 73516->73517 73518 2a3a67 73516->73518 73519 2a3a6f 73516->73519 73517->73518 74291 2d0551 malloc _CxxThrowException free memcpy ctype 73518->74291 73519->73514 74292 2a3b76 malloc _CxxThrowException __EH_prolog ctype 73519->74292 73523 2b434f __EH_prolog 73522->73523 73524 292e04 2 API calls 73523->73524 73525 2b436d 73524->73525 73526 292e04 2 API calls 73525->73526 73527 2b4379 73526->73527 73527->73283 73623 2b375c 22 API calls 2 library calls 73527->73623 73542 2b20a0 __EH_prolog 73528->73542 73529 2b21f0 73530 2b2209 73529->73530 73533 291e0c ctype 2 API calls 73529->73533 73531 291e0c ctype 2 API calls 73530->73531 73534 2b2235 73531->73534 73532 292e04 2 API calls 73532->73542 73533->73530 73535 2b2248 73534->73535 74293 2a4250 73534->74293 74311 2b2c22 73535->74311 73538 292f1c 2 API calls 73538->73542 73540 296c72 44 API calls 73540->73542 73541 2b224c 74489 29757d GetLastError 73541->74489 73542->73529 73542->73532 73542->73538 73542->73540 73542->73541 73544 2b2251 73542->73544 73545 291e40 free ctype 73542->73545 74488 2a089e malloc _CxxThrowException free _CxxThrowException memcpy 73542->74488 74490 2b2c6c 6 API calls 2 library calls 73544->74490 73545->73542 73548 2b2277 74491 291e40 free 73548->74491 73550 2b2347 74510 291e40 free 73550->74510 73552 2b227f 74492 291e40 free 73552->74492 73553 292e04 2 API calls 73585 2b232b 73553->73585 73554 2b2a55 74511 291e40 free 73554->74511 73557 2b2287 74493 291e40 free 73557->74493 73558 2b228f 73558->73288 73558->73290 73560 296c72 44 API calls 73560->73585 73561 2b2969 74507 29757d GetLastError 73561->74507 73563 2b296e 73564 2b2836 74498 291e40 free 73564->74498 73572 292fec malloc _CxxThrowException free 73572->73585 73573 2b2855 74499 291e40 free 73573->74499 73575 2b2860 73577 2b3247 free 73575->73577 73576 2b289d 74501 291e40 free 73576->74501 73580 2b28a8 73583 2b3247 free 73580->73583 73585->73550 73585->73553 73585->73560 73585->73561 73585->73564 73585->73572 73585->73573 73585->73576 73588 2b3247 free 73585->73588 73591 292f1c 2 API calls 73585->73591 73596 2b28e6 73585->73596 73602 2b2921 73585->73602 73606 291e40 free ctype 73585->73606 73616 291fa0 fputc 73585->73616 74315 2a47dd 73585->74315 74319 2c6086 73585->74319 74331 2b2b09 73585->74331 74337 2b31d8 73585->74337 74343 2b2a72 73585->74343 74347 2c6359 73585->74347 74390 2b2cdb 73585->74390 74476 2b2bb5 73585->74476 74494 2a3e26 30 API calls 2 library calls 73585->74494 74495 296456 9 API calls 2 library calls 73585->74495 74496 29859e malloc _CxxThrowException free _CxxThrowException 73585->74496 74497 2b204d CharUpperW 73585->74497 73588->73585 73591->73585 74503 291e40 free 73596->74503 73600 2b28f1 73601 2b3247 free 73600->73601 74505 291e40 free 73602->74505 73606->73585 73608 2b292c 73610 2b3247 free 73608->73610 73616->73585 73622->73252 73623->73287 73624->73283 73625->73299 73663->73247 73664->73251 73665->73253 73666->73258 73667->73261 73672 2b324e 73668->73672 73669 2b3260 75728 291e40 free 73669->75728 73672->73669 75729 291e40 free 73672->75729 73673 2b3267 73674 291e40 free 73673->73674 73674->73268 73675->73272 73676->73276 73677->73280 73678->73389 73680 2b0224 __EH_prolog 73679->73680 73736 2a3d66 73680->73736 73683 2b062e 73689 2b0638 __EH_prolog 73683->73689 73684 2b06de 73823 2b019a malloc _CxxThrowException free memcpy 73684->73823 73686 2b06e6 73824 2b1453 26 API calls 2 library calls 73686->73824 73688 2b06ee 73688->73400 73688->73415 73689->73684 73689->73688 73690 2b01bc malloc _CxxThrowException free _CxxThrowException memcpy 73689->73690 73752 2b0703 73689->73752 73822 2c2db9 free ctype 73689->73822 73690->73689 73693->73403 73694->73408 73695->73415 73697 2d04df 73696->73697 73698 2d0513 73696->73698 73699 2d04fd 73697->73699 73700 2d04e8 _CxxThrowException 73697->73700 73698->73415 74156 2d0551 malloc _CxxThrowException free memcpy ctype 73699->74156 73700->73699 73702->73415 73703->73415 73704->73407 73705->73411 73707 299245 73706->73707 74157 2990da 73707->74157 73710->73428 73711->73428 73712->73418 73714 2b19e1 73713->73714 73716 2b7ec6 73713->73716 73717 2a12d4 73714->73717 73715 291e40 free ctype 73715->73716 73716->73714 73716->73715 73718 2a12e7 73717->73718 73724 2a1327 73717->73724 73719 2a12ef _CxxThrowException 73718->73719 73720 2a1304 73718->73720 73719->73720 74209 291e40 free 73720->74209 73722 2a130b 73723 291e0c ctype 2 API calls 73722->73723 73723->73724 73724->73425 73725->73438 73726->73434 73727->73436 73728->73408 73729->73442 73730->73445 73731->73447 73732->73449 73733->73451 73734->73453 73735->73455 73747 32fb10 73736->73747 73738 2a3d70 GetCurrentProcess 73748 2a3e04 73738->73748 73740 2a3d8d OpenProcessToken 73741 2a3d9e LookupPrivilegeValueW 73740->73741 73742 2a3de3 73740->73742 73741->73742 73743 2a3dc0 AdjustTokenPrivileges 73741->73743 73744 2a3e04 CloseHandle 73742->73744 73743->73742 73745 2a3dd5 GetLastError 73743->73745 73746 2a3def 73744->73746 73745->73742 73746->73683 73747->73738 73749 2a3e0d 73748->73749 73750 2a3e11 CloseHandle 73748->73750 73749->73740 73751 2a3e21 73750->73751 73751->73740 73753 2b070d __EH_prolog 73752->73753 73768 2b0c83 73753->73768 73771 292e04 2 API calls 73753->73771 73780 292fec 3 API calls 73753->73780 73781 2b0b40 73753->73781 73792 2b0b26 73753->73792 73799 2d04d2 malloc _CxxThrowException free _CxxThrowException memcpy 73753->73799 73808 2b0ab5 73753->73808 73810 2c2db9 free ctype 73753->73810 73817 291524 malloc _CxxThrowException 73753->73817 73818 2b0b48 73753->73818 73821 291e40 free ctype 73753->73821 73825 292da9 73753->73825 73828 292f4a malloc _CxxThrowException free ctype 73753->73828 73829 291089 malloc _CxxThrowException free _CxxThrowException 73753->73829 73830 2b13eb 5 API calls 2 library calls 73753->73830 73831 2b050b 73753->73831 73836 2b0021 GetLastError 73753->73836 73837 2949bd 9 API calls 2 library calls 73753->73837 73838 2b0306 12 API calls 73753->73838 73839 2aff00 5 API calls 2 library calls 73753->73839 73840 2b057d 16 API calls 2 library calls 73753->73840 73841 2b0f8e 24 API calls 2 library calls 73753->73841 73842 29472e CharUpperW 73753->73842 73843 2a8984 malloc _CxxThrowException free _CxxThrowException memcpy 73753->73843 73844 2b0ef4 68 API calls 2 library calls 73753->73844 73754 2b0e1d 73866 2b0416 18 API calls 2 library calls 73754->73866 73756 2b0e47 73769 2b0ea6 73756->73769 73867 2b117d 68 API calls 2 library calls 73756->73867 73757 2b0d11 73857 297496 7 API calls 2 library calls 73757->73857 73758 2b0c13 73854 291e40 free 73758->73854 73764 2b0de0 73862 2c2db9 free ctype 73764->73862 73765 292da9 2 API calls 73765->73808 73768->73754 73768->73757 73868 2dec78 free ctype 73769->73868 73770 2b0df8 73864 291e40 free 73770->73864 73771->73753 73773 292e04 2 API calls 73773->73808 73777 2b0e02 73865 2c2db9 free ctype 73777->73865 73778 292e04 2 API calls 73793 2b0d29 73778->73793 73780->73753 73781->73689 73785 292fec 3 API calls 73785->73793 73786 292fec 3 API calls 73786->73808 73790 2b050b 44 API calls 73790->73808 73846 291e40 free 73792->73846 73793->73764 73793->73770 73793->73778 73793->73785 73794 2b0df3 73793->73794 73797 291e40 free ctype 73793->73797 73858 292f1c 73793->73858 73861 2b117d 68 API calls 2 library calls 73793->73861 73863 291e40 free 73794->73863 73797->73793 73799->73753 73800 2b0c79 73856 291e40 free 73800->73856 73801 2b0b30 73847 291e40 free 73801->73847 73802 291e40 free ctype 73802->73808 73806 2b0b38 73848 291e40 free 73806->73848 73808->73758 73808->73765 73808->73773 73808->73786 73808->73790 73808->73800 73808->73802 73845 292f4a malloc _CxxThrowException free ctype 73808->73845 73850 291089 malloc _CxxThrowException free _CxxThrowException 73808->73850 73851 2b13eb 5 API calls 2 library calls 73808->73851 73852 2b0ef4 68 API calls 2 library calls 73808->73852 73853 2c2db9 free ctype 73808->73853 73855 2b0021 GetLastError 73808->73855 73810->73753 73817->73753 73849 2c2db9 free ctype 73818->73849 73821->73753 73822->73689 73823->73686 73824->73688 73869 292d4d 73825->73869 73827 292dc6 73827->73753 73828->73753 73829->73753 73830->73753 73875 296c72 73831->73875 73833 2b0575 73833->73753 73836->73753 73837->73753 73838->73753 73839->73753 73840->73753 73841->73753 73842->73753 73843->73753 73844->73753 73845->73808 73846->73801 73847->73806 73848->73781 73849->73792 73850->73808 73851->73808 73852->73808 73853->73808 73854->73781 73855->73808 73856->73768 73857->73793 73859 292ba6 2 API calls 73858->73859 73860 292f2c 73859->73860 73860->73793 73861->73793 73862->73781 73863->73770 73864->73777 73865->73781 73866->73756 73867->73756 73868->73781 73872 292ba6 73869->73872 73871 292d68 73871->73827 73871->73871 73873 291e0c ctype 2 API calls 73872->73873 73874 292bbb 73873->73874 73874->73871 73877 296c7c __EH_prolog 73875->73877 73876 296cd3 73879 296ce2 73876->73879 73881 296d87 73876->73881 73877->73876 73878 296cb7 73877->73878 73880 292f88 3 API calls 73878->73880 73883 292f88 3 API calls 73879->73883 73882 296cc7 73880->73882 73890 296f4a 73881->73890 74003 292e47 73881->74003 73882->73833 73976 292f88 73882->73976 73888 296cf5 73883->73888 73886 292e47 2 API calls 73898 296dc0 73886->73898 73887 296d4a 73999 297b41 28 API calls 73887->73999 73888->73887 73891 296d0b 73888->73891 73894 296fd1 73890->73894 73896 296f7e 73890->73896 73998 299252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73891->73998 73893 296d5f 74000 29764c 73893->74000 73900 2970e5 73894->73900 73901 296fed 73894->73901 73920 29701d 73894->73920 73895 296d36 73895->73887 73897 296d3a 73895->73897 74021 296bf5 11 API calls 2 library calls 73896->74021 73897->73882 73910 296dfe 73898->73910 74007 293221 malloc _CxxThrowException free _CxxThrowException 73898->74007 73982 296868 73900->73982 74023 296bf5 11 API calls 2 library calls 73901->74023 73906 296f85 73906->73900 73908 296f99 73906->73908 73907 296ff2 73907->73900 73912 297006 73907->73912 73916 292f88 3 API calls 73908->73916 73909 296fca 73915 296848 FindClose 73909->73915 73911 296e43 73910->73911 73924 296e1e 73910->73924 73913 296c72 42 API calls 73911->73913 73912->73909 73917 296e4e 73913->73917 73915->73882 73919 296fb0 73916->73919 73921 296f3a 73917->73921 73922 296e41 73917->73922 74022 29717b 13 API calls 73919->74022 73920->73900 74024 29717b 13 API calls 73920->74024 74019 291e40 free 73921->74019 73930 292f1c 2 API calls 73922->73930 73924->73922 73927 292fec 3 API calls 73924->73927 73926 296f42 74020 291e40 free 73926->74020 73927->73922 73929 297052 73932 297064 73929->73932 73933 297056 73929->73933 73934 296e77 73930->73934 73936 292e47 2 API calls 73932->73936 73937 292f88 3 API calls 73933->73937 73935 292e04 2 API calls 73934->73935 73961 296e83 73935->73961 73938 29706d 73936->73938 73974 29705f 73937->73974 74025 291089 malloc _CxxThrowException free _CxxThrowException 73938->74025 73941 29707b 74026 291089 malloc _CxxThrowException free _CxxThrowException 73941->74026 73942 296848 FindClose 73942->73882 73943 296ecf 74012 291e40 free 73943->74012 73945 296ec7 SetLastError 73945->73943 73946 297085 73949 296868 12 API calls 73946->73949 73951 297095 73949->73951 73950 296f11 74013 291e40 free 73950->74013 73954 297099 wcscmp 73951->73954 73955 2970bb 73951->73955 73952 296ed3 74011 2931e5 malloc _CxxThrowException free _CxxThrowException 73952->74011 73954->73955 73958 2970b1 73954->73958 74027 296bf5 11 API calls 2 library calls 73955->74027 73957 296f19 74014 296848 73957->74014 73965 292f88 3 API calls 73958->73965 73961->73943 73961->73945 73961->73952 73966 292e04 2 API calls 73961->73966 74008 296bb5 17 API calls 73961->74008 74009 2922bf CharUpperW 73961->74009 74010 291e40 free 73961->74010 73963 2970c6 73964 297129 73963->73964 73968 2970d8 73963->73968 73964->73958 73969 29714c 73965->73969 73966->73961 74028 291e40 free 73968->74028 74030 291e40 free 73969->74030 73973 296f2b 74018 291e40 free 73973->74018 73974->73942 73977 292f9a 73976->73977 73978 291e0c ctype 2 API calls 73977->73978 73979 292fbe 73977->73979 73980 292fb4 73978->73980 73979->73833 73979->73979 74155 291e40 free 73980->74155 73983 296872 __EH_prolog 73982->73983 73984 296848 FindClose 73983->73984 73985 296880 73984->73985 73986 29689b FindFirstFileW 73985->73986 73988 2968a9 73985->73988 73991 2968f6 73985->73991 73986->73988 73987 2968ee 73987->73991 74037 296919 malloc _CxxThrowException free 73987->74037 73988->73987 73990 292e04 2 API calls 73988->73990 73992 2968ba 73990->73992 73991->73909 74029 29717b 13 API calls 73991->74029 74031 298b4a 73992->74031 73994 2968d0 73995 2968e2 73994->73995 73996 2968d4 FindFirstFileW 73994->73996 74036 291e40 free 73995->74036 73996->73995 73998->73895 73999->73893 74001 297661 74000->74001 74002 297656 CloseHandle 74000->74002 74001->73882 74002->74001 74004 292e57 74003->74004 74005 292ba6 2 API calls 74004->74005 74006 292e6a 74005->74006 74006->73886 74007->73910 74008->73961 74009->73961 74010->73961 74011->73943 74012->73950 74013->73957 74015 296852 FindClose 74014->74015 74016 29685d 74014->74016 74015->74016 74017 291e40 free 74016->74017 74017->73973 74018->73882 74019->73926 74020->73890 74021->73906 74022->73909 74023->73907 74024->73929 74025->73941 74026->73946 74027->73963 74028->73907 74029->73909 74030->73974 74038 298b80 74031->74038 74034 298b6e 74034->73994 74035 292f88 3 API calls 74035->74034 74036->73987 74037->73991 74040 298b8a __EH_prolog 74038->74040 74039 298b55 74039->74034 74039->74035 74040->74039 74041 298c7b 74040->74041 74047 298be1 74040->74047 74042 298d23 74041->74042 74044 298c8f 74041->74044 74043 298e8a 74042->74043 74046 298d3b 74042->74046 74045 292e47 2 API calls 74043->74045 74044->74046 74052 298c9e 74044->74052 74048 298e96 74045->74048 74049 292e04 2 API calls 74046->74049 74047->74039 74050 292e47 2 API calls 74047->74050 74056 292e47 2 API calls 74048->74056 74051 298d43 74049->74051 74054 298c05 74050->74054 74135 296332 6 API calls 2 library calls 74051->74135 74053 292e47 2 API calls 74052->74053 74065 298ca7 74053->74065 74060 298c24 74054->74060 74061 298c17 74054->74061 74058 298eb8 74056->74058 74057 298d52 74059 298d56 74057->74059 74136 29859e malloc _CxxThrowException free _CxxThrowException 74057->74136 74147 298f57 memmove 74058->74147 74146 291e40 free 74059->74146 74068 292e47 2 API calls 74060->74068 74125 291e40 free 74061->74125 74069 292e47 2 API calls 74065->74069 74067 298ec4 74070 298ec8 74067->74070 74071 298ede 74067->74071 74072 298c35 74068->74072 74074 298cd0 74069->74074 74148 291e40 free 74070->74148 74150 293221 malloc _CxxThrowException free _CxxThrowException 74071->74150 74126 298f57 memmove 74072->74126 74130 298f57 memmove 74074->74130 74077 298c41 74081 298c6b 74077->74081 74127 2931e5 malloc _CxxThrowException free _CxxThrowException 74077->74127 74078 298eeb 74151 2931e5 malloc _CxxThrowException free _CxxThrowException 74078->74151 74080 298ed0 74149 291e40 free 74080->74149 74129 291e40 free 74081->74129 74082 298cdc 74086 298d13 74082->74086 74131 293221 malloc _CxxThrowException free _CxxThrowException 74082->74131 74134 291e40 free 74086->74134 74089 298f06 74152 2931e5 malloc _CxxThrowException free _CxxThrowException 74089->74152 74090 298c73 74154 291e40 free 74090->74154 74092 292e04 2 API calls 74096 298ddf 74092->74096 74093 298c60 74128 2931e5 malloc _CxxThrowException free _CxxThrowException 74093->74128 74095 298ced 74132 2931e5 malloc _CxxThrowException free _CxxThrowException 74095->74132 74100 298e0e 74096->74100 74105 298df1 74096->74105 74098 298f11 74153 291e40 free 74098->74153 74106 292f88 3 API calls 74100->74106 74102 298d65 74102->74059 74102->74092 74104 298d08 74133 2931e5 malloc _CxxThrowException free _CxxThrowException 74104->74133 74137 293199 malloc _CxxThrowException free _CxxThrowException 74105->74137 74109 298e0c 74106->74109 74139 298f57 memmove 74109->74139 74110 298e03 74138 293199 malloc _CxxThrowException free _CxxThrowException 74110->74138 74113 298e22 74114 298e3b 74113->74114 74124 298e26 74113->74124 74140 293221 malloc _CxxThrowException free _CxxThrowException 74113->74140 74141 298f34 malloc _CxxThrowException 74114->74141 74118 298e49 74142 2931e5 malloc _CxxThrowException free _CxxThrowException 74118->74142 74120 298e56 74143 291e40 free 74120->74143 74122 298e62 74144 2931e5 malloc _CxxThrowException free _CxxThrowException 74122->74144 74145 291e40 free 74124->74145 74125->74039 74126->74077 74127->74093 74128->74081 74129->74090 74130->74082 74131->74095 74132->74104 74133->74086 74134->74090 74135->74057 74136->74102 74137->74110 74138->74109 74139->74113 74140->74114 74141->74118 74142->74120 74143->74122 74144->74124 74145->74059 74146->74039 74147->74067 74148->74080 74149->74039 74150->74078 74151->74089 74152->74098 74153->74090 74154->74039 74155->73979 74156->73698 74158 2990e4 __EH_prolog 74157->74158 74159 292f88 3 API calls 74158->74159 74161 2990f7 74159->74161 74160 29915d 74162 292e04 2 API calls 74160->74162 74161->74160 74164 299109 74161->74164 74163 299165 74162->74163 74165 2991be 74163->74165 74168 299174 74163->74168 74167 299155 74164->74167 74170 292e47 2 API calls 74164->74170 74203 296332 6 API calls 2 library calls 74165->74203 74167->73428 74171 292f88 3 API calls 74168->74171 74169 29917d 74172 2991ca 74169->74172 74201 29859e malloc _CxxThrowException free _CxxThrowException 74169->74201 74173 299122 74170->74173 74171->74169 74208 291e40 free 74172->74208 74198 298f57 memmove 74173->74198 74176 29912e 74179 29914d 74176->74179 74199 2931e5 malloc _CxxThrowException free _CxxThrowException 74176->74199 74177 299185 74182 292e04 2 API calls 74177->74182 74200 291e40 free 74179->74200 74183 299197 74182->74183 74184 29919f 74183->74184 74185 2991ce 74183->74185 74186 2991b9 74184->74186 74202 291089 malloc _CxxThrowException free _CxxThrowException 74184->74202 74187 292f88 3 API calls 74185->74187 74204 293199 malloc _CxxThrowException free _CxxThrowException 74186->74204 74187->74186 74190 2991e6 74205 298f57 memmove 74190->74205 74192 2991ee 74193 2991f2 74192->74193 74194 292fec 3 API calls 74192->74194 74207 291e40 free 74193->74207 74196 299212 74194->74196 74206 2931e5 malloc _CxxThrowException free _CxxThrowException 74196->74206 74198->74176 74199->74179 74200->74167 74201->74177 74202->74186 74203->74169 74204->74190 74205->74192 74206->74193 74207->74172 74208->74167 74209->73722 74210->73463 74211->73459 74213 291e0c ctype 2 API calls 74212->74213 74214 2926ea 74213->74214 74215 2c5678 74214->74215 74216 2c5689 74215->74216 74217 2c56b1 74215->74217 74219 2c5593 6 API calls 74216->74219 74233 2c5593 74217->74233 74221 2c56a5 74219->74221 74247 2928a1 74221->74247 74224 2c570e fputs 74231 291fa0 fputc 74224->74231 74227 2c56ef 74228 2c5593 6 API calls 74227->74228 74229 2c5701 74228->74229 74230 2c5711 6 API calls 74229->74230 74230->74224 74231->73472 74232->73474 74234 2c55ad 74233->74234 74235 2928a1 5 API calls 74234->74235 74236 2c55b8 74235->74236 74252 29286d 74236->74252 74239 2928a1 5 API calls 74240 2c55c7 74239->74240 74241 2c5711 74240->74241 74242 2c56e0 74241->74242 74243 2c5721 74241->74243 74242->74224 74251 292881 malloc _CxxThrowException free memcpy _CxxThrowException 74242->74251 74244 2928a1 5 API calls 74243->74244 74245 2c572b 74244->74245 74260 2c55cd 6 API calls 74245->74260 74248 2928b0 74247->74248 74248->74248 74261 29267f 74248->74261 74250 2928bf 74250->74217 74251->74227 74255 291e9d 74252->74255 74256 291ea8 74255->74256 74257 291ead 74255->74257 74259 29263c malloc _CxxThrowException free memcpy _CxxThrowException 74256->74259 74257->74239 74259->74257 74260->74242 74262 2926c2 74261->74262 74264 292693 74261->74264 74262->74250 74263 2926c8 _CxxThrowException 74265 2926dd 74263->74265 74264->74263 74266 2926bc 74264->74266 74268 291e0c ctype 2 API calls 74265->74268 74270 292595 malloc _CxxThrowException free memcpy ctype 74266->74270 74269 2926ea 74268->74269 74269->74250 74270->74262 74271->73480 74281 291e40 free 74272->74281 74274 2b2c16 74282 291e40 free 74274->74282 74276 2b2c1e 74277 291e40 free 74276->74277 74277->73484 74278->73486 74279->73488 74280->73490 74281->74274 74282->74276 74283->73500 74285 2cad33 __EH_prolog 74284->74285 74286 292e04 2 API calls 74285->74286 74287 2cad5f 74286->74287 74288 292e04 2 API calls 74287->74288 74289 2ca5d8 74288->74289 74289->73507 74290->73516 74291->73519 74292->73519 74294 2a425a __EH_prolog 74293->74294 74295 292e04 2 API calls 74294->74295 74296 2a42c4 74295->74296 74297 292e04 2 API calls 74296->74297 74298 2a42d0 74297->74298 74512 2a440b 74298->74512 74312 2b2c2e 74311->74312 74314 2b2c35 74311->74314 74313 291e0c ctype 2 API calls 74312->74313 74313->74314 74314->73585 74316 2a47f4 74315->74316 74317 2a47ee 74315->74317 74316->73585 74523 291e40 free 74317->74523 74320 2c6092 74319->74320 74321 2c612c 74320->74321 74524 2c5d3c 74320->74524 74321->73585 74332 2b2b13 __EH_prolog 74331->74332 74333 292e04 2 API calls 74332->74333 74339 2b31e2 __EH_prolog 74337->74339 74338 2b3234 74338->73585 74339->74338 74340 291e0c ctype 2 API calls 74339->74340 74341 2b3216 74340->74341 74341->74338 74344 2b2a82 74343->74344 74345 292e04 2 API calls 74344->74345 74346 2b2a9f 74345->74346 74346->73585 74348 2c6363 __EH_prolog 74347->74348 74349 2c637f 74348->74349 74350 2cc7d7 ctype 6 API calls 74348->74350 74564 2c5a4d 74349->74564 74350->74349 74391 2b2ce5 __EH_prolog 74390->74391 74392 292f1c 2 API calls 74391->74392 74393 2b2d35 74392->74393 74477 2b2bbf __EH_prolog 74476->74477 75695 2bd24e 74477->75695 74488->73542 74489->73544 74490->73548 74491->73552 74492->73557 74493->73558 74494->73585 74495->73585 74496->73585 74497->73585 74498->73550 74499->73575 74501->73580 74503->73600 74505->73608 74507->73563 74510->73554 74511->73558 74513 2a4415 __EH_prolog 74512->74513 74523->74316 75696 2bd259 75695->75696 75728->73673 75729->73672 75733 3169f0 free 75734 2a1368 75736 2a136d 75734->75736 75737 2a138c 75736->75737 75740 327d80 WaitForSingleObject 75736->75740 75743 2cf745 75736->75743 75747 327ea0 SetEvent GetLastError 75736->75747 75741 327d98 75740->75741 75742 327d8e GetLastError 75740->75742 75741->75736 75742->75741 75744 2cf74f __EH_prolog 75743->75744 75748 2cf784 75744->75748 75746 2cf765 75746->75736 75747->75736 75749 2cf78e __EH_prolog 75748->75749 75750 2a12d4 4 API calls 75749->75750 75751 2cf7c7 75750->75751 75752 2a12d4 4 API calls 75751->75752 75753 2cf7d4 75752->75753 75754 2cf871 75753->75754 75757 316b23 VirtualAlloc 75753->75757 75758 29c4d6 75753->75758 75754->75746 75757->75754 75762 29c4e9 75758->75762 75759 29c6f3 75759->75754 75762->75759 75763 29c695 memmove 75762->75763 75764 2a111c 75762->75764 75769 2a11b4 75762->75769 75763->75762 75766 2a1130 75764->75766 75765 2a115f 75765->75762 75766->75765 75774 29b668 75766->75774 75793 29d331 75766->75793 75770 2a11c1 75769->75770 75771 2a11eb 75770->75771 75805 2daf27 75770->75805 75812 2dae7c 75770->75812 75771->75762 75781 29b675 75774->75781 75775 29b864 75797 297b7c 75775->75797 75778 29b6aa 75778->75766 75779 29b8aa GetLastError 75779->75778 75780 29b81b 75780->75778 75784 29b839 memcpy 75780->75784 75781->75775 75781->75778 75781->75780 75782 297731 5 API calls 75781->75782 75783 29b7e7 75781->75783 75785 29b811 75781->75785 75791 29b7ad 75781->75791 75802 297b4f ReadFile 75781->75802 75782->75781 75783->75775 75786 297731 5 API calls 75783->75786 75784->75778 75803 29b8ec GetLastError 75785->75803 75787 29b80d 75786->75787 75787->75775 75787->75785 75791->75781 75792 29b8c7 75791->75792 75801 316a20 VirtualAlloc 75791->75801 75792->75778 75794 29d355 75793->75794 75795 29d374 75794->75795 75796 29b668 10 API calls 75794->75796 75795->75766 75796->75795 75798 297b89 75797->75798 75804 297b4f ReadFile 75798->75804 75800 297b9a 75800->75778 75800->75779 75801->75791 75802->75781 75803->75778 75804->75800 75806 2daf36 75805->75806 75807 2db010 75806->75807 75808 2dad3a 99 API calls 75806->75808 75810 2daeeb 107 API calls 75806->75810 75817 29bd0c 75806->75817 75822 2daebf 107 API calls 75806->75822 75807->75770 75808->75806 75810->75806 75813 2dae86 75812->75813 75815 2a7140 7 API calls 75813->75815 75831 2a7190 75813->75831 75814 2daebb 75814->75770 75815->75814 75823 297ca2 75817->75823 75820 29bd3d 75820->75806 75822->75806 75826 297caf 75823->75826 75825 297cdb 75825->75820 75827 29b8ec GetLastError 75825->75827 75826->75825 75828 297c68 75826->75828 75827->75820 75829 297c79 WriteFile 75828->75829 75830 297c76 75828->75830 75829->75826 75830->75829 75832 2a719a __EH_prolog 75831->75832 75833 2a71b0 75832->75833 75836 2a71dd 75832->75836 75834 2a4d78 VariantClear 75833->75834 75840 2a71b7 75834->75840 75844 2a6fc5 75836->75844 75837 2a72b4 75838 2a4d78 VariantClear 75837->75838 75839 2a72c0 75837->75839 75838->75839 75839->75840 75841 2a7140 7 API calls 75839->75841 75840->75814 75841->75840 75842 2a72a3 SetFileSecurityW 75842->75837 75843 2a7236 75843->75837 75843->75840 75843->75842 75845 2a6fcf __EH_prolog 75844->75845 75846 2a44a6 2 API calls 75845->75846 75849 2a6fec 75846->75849 75847 2a706a 75870 2a68ac 75847->75870 75849->75847 75853 2a7029 75849->75853 75888 2a6e71 12 API calls 2 library calls 75849->75888 75851 2a709e 75894 291e40 free 75851->75894 75853->75847 75889 2a4dff 7 API calls 2 library calls 75853->75889 75854 2a7051 75854->75847 75858 2a11b4 107 API calls 75854->75858 75857 2a70c0 75890 296096 15 API calls 2 library calls 75857->75890 75858->75847 75859 2a712e 75859->75843 75861 2a70d1 75864 2a70e2 75861->75864 75891 2a4dff 7 API calls 2 library calls 75861->75891 75867 2a70e6 75864->75867 75892 2a6b5e 69 API calls 2 library calls 75864->75892 75865 2a70fd 75866 2a7103 75865->75866 75865->75867 75893 291e40 free 75866->75893 75867->75851 75869 2a710b 75869->75859 75871 2a68b6 __EH_prolog 75870->75871 75872 2a6921 75871->75872 75873 297d4b 6 API calls 75871->75873 75887 2a68c5 75871->75887 75880 2a6962 75872->75880 75886 2a6998 75872->75886 75897 2a6a17 6 API calls 2 library calls 75872->75897 75877 2a6906 75873->75877 75874 2a69e1 75901 29bcf8 CloseHandle 75874->75901 75877->75872 75896 2a4dff 7 API calls 2 library calls 75877->75896 75880->75886 75898 292dcd malloc _CxxThrowException 75880->75898 75881 2a697a 75899 2a6b09 13 API calls __EH_prolog 75881->75899 75884 2a698c 75900 291e40 free 75884->75900 75886->75874 75895 297c3b SetFileTime 75886->75895 75887->75851 75887->75857 75888->75853 75889->75854 75890->75861 75891->75864 75892->75865 75893->75869 75894->75859 75895->75874 75896->75872 75897->75880 75898->75881 75899->75884 75900->75886 75901->75887 75902 32ffb1 __setusermatherr 75903 32ffbd 75902->75903 75907 330068 _controlfp 75903->75907 75905 32ffc2 _initterm __getmainargs _initterm __p___initenv 75906 2cc27c 75905->75906 75907->75905 75908 297b20 75911 297ab2 75908->75911 75912 297ac5 75911->75912 75919 29759a 75912->75919 75915 297aeb SetFileTime 75916 297b03 75915->75916 75933 297919 75916->75933 75920 2975a4 __EH_prolog 75919->75920 75921 29764c CloseHandle 75920->75921 75922 2975af 75921->75922 75923 2975e9 75922->75923 75924 2975d4 CreateFileW 75922->75924 75932 297632 75922->75932 75925 292e04 2 API calls 75923->75925 75923->75932 75924->75923 75926 2975fb 75925->75926 75927 298b4a 9 API calls 75926->75927 75928 297611 75927->75928 75929 29762a 75928->75929 75930 297615 CreateFileW 75928->75930 75949 291e40 free 75929->75949 75930->75929 75932->75915 75932->75916 75934 297aac 75933->75934 75935 29793c 75933->75935 75935->75934 75936 297945 DeviceIoControl 75935->75936 75937 297969 75936->75937 75938 2979e6 75936->75938 75937->75938 75944 2979a7 75937->75944 75939 2979ef DeviceIoControl 75938->75939 75942 297a14 75938->75942 75940 297a22 DeviceIoControl 75939->75940 75939->75942 75941 297a44 DeviceIoControl 75940->75941 75940->75942 75941->75942 75942->75934 75951 29780d 8 API calls ctype 75942->75951 75950 299252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 75944->75950 75945 297aa5 75947 2977de 5 API calls 75945->75947 75947->75934 75948 2979d0 75948->75938 75949->75932 75950->75948 75951->75945 75952 2cc2e6 75953 2cc52f 75952->75953 75956 2c544f SetConsoleCtrlHandler 75953->75956 75955 2cc53b 75956->75955 75957 2dbf67 75958 2dbf74 75957->75958 75962 2dbf85 75957->75962 75958->75962 75963 2dbf8c 75958->75963 75964 2dbf96 __EH_prolog 75963->75964 75980 2dd144 75964->75980 75968 2dbfd0 75987 291e40 free 75968->75987 75970 2dbfdb 75988 291e40 free 75970->75988 75972 2dbfe6 75989 2dc072 free ctype 75972->75989 75974 2dbff4 75990 2aaafa free VariantClear ctype 75974->75990 75976 2dc023 75991 2b73d2 free VariantClear __EH_prolog ctype 75976->75991 75978 2dbf7f 75979 291e40 free 75978->75979 75979->75962 75983 2dd14e __EH_prolog 75980->75983 75992 2dd1b7 75983->75992 75985 2dbfc5 75986 291e40 free 75985->75986 75986->75968 75987->75970 75988->75972 75989->75974 75990->75976 75991->75978 76000 2dd23c 75992->76000 75994 2dd1ed 76007 291e40 free 75994->76007 75996 2dd209 76008 291e40 free 75996->76008 75998 2dd180 75999 2d8e04 memset 75998->75999 75999->75985 76009 2dd2b8 76000->76009 76005 2dd275 76005->75994 76006 2dd25e 76026 291e40 free 76006->76026 76007->75996 76008->75998 76028 291e40 free 76009->76028 76011 2dd2c8 76029 291e40 free 76011->76029 76013 2dd2dc 76030 291e40 free 76013->76030 76015 2dd2e7 76031 291e40 free 76015->76031 76017 2dd2f2 76032 291e40 free 76017->76032 76019 2dd2fd 76033 291e40 free 76019->76033 76021 2dd308 76034 291e40 free 76021->76034 76023 2dd313 76025 2dd246 76023->76025 76035 291e40 free 76023->76035 76025->76006 76027 291e40 free 76025->76027 76026->76005 76027->76006 76028->76011 76029->76013 76030->76015 76031->76017 76032->76019 76033->76021 76034->76023 76035->76025 76036 2bcefb 76037 2bd0cc 76036->76037 76038 2bcf03 76036->76038 76038->76037 76083 2bcae9 VariantClear 76038->76083 76040 2bcf59 76040->76037 76084 2bcae9 VariantClear 76040->76084 76042 2bcf71 76042->76037 76085 2bcae9 VariantClear 76042->76085 76044 2bcf87 76044->76037 76086 2bcae9 VariantClear 76044->76086 76046 2bcf9d 76046->76037 76087 2bcae9 VariantClear 76046->76087 76048 2bcfb3 76048->76037 76088 2bcae9 VariantClear 76048->76088 76050 2bcfc9 76050->76037 76089 294504 malloc _CxxThrowException 76050->76089 76052 2bcfdc 76053 292e04 2 API calls 76052->76053 76055 2bcfe7 76053->76055 76054 2bd009 76058 2bd080 76054->76058 76059 2bd030 76054->76059 76077 2bd07b 76054->76077 76055->76054 76056 292f88 3 API calls 76055->76056 76056->76054 76094 2b7a0c CharUpperW 76058->76094 76062 292e04 2 API calls 76059->76062 76060 2bd0c4 76098 291e40 free 76060->76098 76065 2bd038 76062->76065 76064 2bd08b 76095 2afdbc 4 API calls 2 library calls 76064->76095 76066 292e04 2 API calls 76065->76066 76068 2bd046 76066->76068 76090 2afdbc 4 API calls 2 library calls 76068->76090 76069 2bd0a7 76071 292fec 3 API calls 76069->76071 76073 2bd0b3 76071->76073 76072 2bd057 76074 292fec 3 API calls 76072->76074 76096 291e40 free 76073->76096 76076 2bd063 76074->76076 76091 291e40 free 76076->76091 76097 291e40 free 76077->76097 76079 2bd06b 76092 291e40 free 76079->76092 76081 2bd073 76093 291e40 free 76081->76093 76083->76040 76084->76042 76085->76044 76086->76046 76087->76048 76088->76050 76089->76052 76090->76072 76091->76079 76092->76081 76093->76077 76094->76064 76095->76069 76096->76077 76097->76060 76098->76037 76099 2c993d 76183 2cb5b1 76099->76183 76102 2c9963 76189 2a1f33 76102->76189 76103 291fb3 11 API calls 76103->76102 76105 2c9975 76106 2c99ce 76105->76106 76107 2c99b7 GetStdHandle GetConsoleScreenBufferInfo 76105->76107 76108 291e0c ctype 2 API calls 76106->76108 76107->76106 76109 2c99dc 76108->76109 76310 2b7b48 76109->76310 76111 2c9a29 76327 2cb96d _CxxThrowException 76111->76327 76113 2c9a30 76328 2b7018 8 API calls 2 library calls 76113->76328 76115 2c9a7c 76329 2bddb5 6 API calls 2 library calls 76115->76329 76116 2c9a66 _CxxThrowException 76116->76115 76118 2c9aa6 76120 2c9aaa _CxxThrowException 76118->76120 76129 2c9ac0 76118->76129 76119 2c9a37 76119->76115 76119->76116 76120->76129 76121 2c9b3a 76333 291fa0 fputc 76121->76333 76123 2c9bfa _CxxThrowException 76144 2c9be6 76123->76144 76125 2c9b63 fputs 76334 291fa0 fputc 76125->76334 76128 2c9b79 strlen strlen 76130 2c9baa fputs fputc 76128->76130 76131 2c9e25 76128->76131 76129->76121 76129->76123 76330 2b7dd7 7 API calls 2 library calls 76129->76330 76331 2cc077 6 API calls 76129->76331 76332 291e40 free 76129->76332 76130->76144 76342 291fa0 fputc 76131->76342 76134 2c9e2c fputs 76343 291fa0 fputc 76134->76343 76136 2c9f0c 76348 291fa0 fputc 76136->76348 76139 2c9f13 fputs 76349 291fa0 fputc 76139->76349 76141 2cb67d 12 API calls 76141->76144 76143 2c9e42 76143->76136 76177 2c9ee0 fputs 76143->76177 76344 2cb650 fputc fputs fputs fputc 76143->76344 76345 2921d8 fputs 76143->76345 76346 2cbde4 fputc fputs 76143->76346 76144->76130 76144->76131 76144->76141 76148 292e04 2 API calls 76144->76148 76160 2c9d2a fputs 76144->76160 76166 2c9d5f fputs 76144->76166 76167 2931e5 malloc _CxxThrowException free _CxxThrowException 76144->76167 76335 2921d8 fputs 76144->76335 76336 29315e malloc _CxxThrowException free _CxxThrowException 76144->76336 76337 293221 malloc _CxxThrowException free _CxxThrowException 76144->76337 76338 291089 malloc _CxxThrowException free _CxxThrowException 76144->76338 76340 291fa0 fputc 76144->76340 76341 291e40 free 76144->76341 76145 2c9f29 76170 2c9f77 fputs 76145->76170 76178 2c9f9f 76145->76178 76350 2cb650 fputc fputs fputs fputc 76145->76350 76351 2cb5e9 fputc fputs 76145->76351 76352 2cbde4 fputc fputs 76145->76352 76147 2cac3a 76355 2cb96d _CxxThrowException 76147->76355 76148->76144 76149 2cac35 76354 2cb988 33 API calls __aulldiv 76149->76354 76153 2cac42 76356 291e40 free 76153->76356 76157 2cac4d 76158 2b3247 free 76157->76158 76159 2cac5d 76158->76159 76357 291e40 free 76159->76357 76339 2921d8 fputs 76160->76339 76165 2cac7d 76358 2911c2 free __EH_prolog ctype 76165->76358 76166->76144 76167->76144 76353 291fa0 fputc 76170->76353 76174 2cac89 76359 2cbe0c free __EH_prolog ctype 76174->76359 76347 291fa0 fputc 76177->76347 76178->76147 76178->76149 76179 2cac98 76360 2c2db9 free ctype 76179->76360 76182 2caca4 76184 2cb5bc fputs 76183->76184 76185 2c994a 76183->76185 76361 291fa0 fputc 76184->76361 76185->76102 76185->76103 76187 2cb5d5 76187->76185 76188 2cb5d9 fputs 76187->76188 76188->76185 76190 2a1f4f 76189->76190 76191 2a1f6c 76189->76191 76394 2b1d73 5 API calls __EH_prolog 76190->76394 76362 2a29eb 76191->76362 76194 2a1f5e _CxxThrowException 76194->76191 76196 2a1fa3 76198 2a1fbc 76196->76198 76200 294fc0 5 API calls 76196->76200 76201 2a1fda 76198->76201 76202 292fec 3 API calls 76198->76202 76199 2a1f95 _CxxThrowException 76199->76196 76200->76198 76203 2a2022 wcscmp 76201->76203 76211 2a2036 76201->76211 76202->76201 76204 2a20af 76203->76204 76203->76211 76396 2b1d73 5 API calls __EH_prolog 76204->76396 76206 2a20be _CxxThrowException 76206->76211 76207 2a20a9 76397 2a393c 6 API calls 2 library calls 76207->76397 76209 2a20f4 76398 2a393c 6 API calls 2 library calls 76209->76398 76211->76207 76216 2a219a 76211->76216 76212 2a2108 76213 2a2135 76212->76213 76399 2a2e04 62 API calls 2 library calls 76212->76399 76220 2a2159 76213->76220 76400 2a2e04 62 API calls 2 library calls 76213->76400 76401 2b1d73 5 API calls __EH_prolog 76216->76401 76218 2a21a9 _CxxThrowException 76218->76220 76219 2a227f 76367 2a2aa9 76219->76367 76220->76219 76221 2a2245 76220->76221 76402 2b1d73 5 API calls __EH_prolog 76220->76402 76224 292fec 3 API calls 76221->76224 76226 2a225c 76224->76226 76225 2a2237 _CxxThrowException 76225->76221 76226->76219 76403 2b1d73 5 API calls __EH_prolog 76226->76403 76227 2a22d9 76229 2a2302 76227->76229 76231 292fec 3 API calls 76227->76231 76232 294fc0 5 API calls 76229->76232 76230 292fec 3 API calls 76230->76227 76231->76229 76234 2a2315 76232->76234 76385 2a384c 76234->76385 76235 2a2271 _CxxThrowException 76235->76219 76237 2a2322 76240 2a26c6 76237->76240 76244 2a23a1 76237->76244 76238 2a28ce 76239 2a293a 76238->76239 76254 2a28d5 76238->76254 76245 2a293f 76239->76245 76246 2a29a5 76239->76246 76240->76238 76241 2a2700 76240->76241 76416 2b1d73 5 API calls __EH_prolog 76240->76416 76417 2a32ec 14 API calls 2 library calls 76241->76417 76252 2a247a wcscmp 76244->76252 76271 2a248e 76244->76271 76424 294eec 16 API calls 76245->76424 76248 2a29ae _CxxThrowException 76246->76248 76302 2a264d 76246->76302 76247 2a26f2 _CxxThrowException 76247->76241 76249 2a2713 76255 2a3a29 5 API calls 76249->76255 76251 2a294c 76425 294ea1 8 API calls 76251->76425 76257 2a24cf wcscmp 76252->76257 76252->76271 76254->76302 76423 2b1d73 5 API calls __EH_prolog 76254->76423 76266 2a2722 76255->76266 76261 2a24ef wcscmp 76257->76261 76257->76271 76258 2a2953 76263 294fc0 5 API calls 76258->76263 76262 2a250f 76261->76262 76261->76271 76407 2b1d73 5 API calls __EH_prolog 76262->76407 76263->76302 76264 2a2920 _CxxThrowException 76264->76302 76268 2a27cf 76266->76268 76270 292fec 3 API calls 76266->76270 76267 2a251e _CxxThrowException 76269 2a252c 76267->76269 76272 2a2880 76268->76272 76277 2a281f 76268->76277 76419 2b1d73 5 API calls __EH_prolog 76268->76419 76273 2a2569 76269->76273 76408 2a2e04 62 API calls 2 library calls 76269->76408 76274 2a27a9 76270->76274 76271->76269 76404 294eec 16 API calls 76271->76404 76405 294ea1 8 API calls 76271->76405 76406 2b1d73 5 API calls __EH_prolog 76271->76406 76275 2a289b 76272->76275 76282 292fec 3 API calls 76272->76282 76279 2a258c 76273->76279 76409 2a2e04 62 API calls 2 library calls 76273->76409 76274->76268 76418 293563 memmove 76274->76418 76275->76302 76422 2b1d73 5 API calls __EH_prolog 76275->76422 76277->76272 76284 2a2847 76277->76284 76420 2b1d73 5 API calls __EH_prolog 76277->76420 76286 2a25a4 76279->76286 76410 2a2a61 malloc _CxxThrowException free _CxxThrowException memcpy 76279->76410 76280 2a24c1 _CxxThrowException 76280->76257 76282->76275 76283 2a2811 _CxxThrowException 76283->76277 76284->76272 76421 2b1d73 5 API calls __EH_prolog 76284->76421 76411 294eec 16 API calls 76286->76411 76292 2a25ad 76412 2b1b07 49 API calls 76292->76412 76293 2a28c0 _CxxThrowException 76293->76238 76294 2a2839 _CxxThrowException 76294->76284 76297 2a2872 _CxxThrowException 76297->76272 76298 2a25b4 76413 294ea1 8 API calls 76298->76413 76300 2a25bb 76301 292fec 3 API calls 76300->76301 76304 2a25d6 76300->76304 76301->76304 76302->76105 76303 2a261f 76303->76302 76305 292fec 3 API calls 76303->76305 76304->76302 76304->76303 76414 2b1d73 5 API calls __EH_prolog 76304->76414 76307 2a263f 76305->76307 76415 29859e malloc _CxxThrowException free _CxxThrowException 76307->76415 76308 2a2611 _CxxThrowException 76308->76303 76311 2b7b52 __EH_prolog 76310->76311 76435 2b7eec 76311->76435 76313 2b7ca4 76313->76111 76315 2930ea malloc _CxxThrowException free 76322 2b7b63 76315->76322 76316 292e04 malloc _CxxThrowException 76316->76322 76318 291e40 free ctype 76318->76322 76320 2d04d2 5 API calls 76320->76322 76322->76313 76322->76315 76322->76316 76322->76318 76322->76320 76323 29429a 3 API calls 76322->76323 76325 2b7c61 memcpy 76322->76325 76440 2b70ea 76322->76440 76443 2b7a40 76322->76443 76461 2b7cc3 6 API calls 76322->76461 76462 2a12a5 76322->76462 76467 2b74eb malloc _CxxThrowException memcpy __EH_prolog ctype 76322->76467 76468 2b7193 76322->76468 76323->76322 76325->76322 76327->76113 76328->76119 76329->76118 76330->76129 76331->76129 76332->76129 76333->76125 76334->76128 76335->76144 76336->76144 76337->76144 76338->76144 76339->76144 76340->76144 76341->76144 76342->76134 76343->76143 76344->76143 76345->76143 76346->76143 76347->76143 76348->76139 76349->76145 76350->76145 76351->76145 76352->76145 76353->76145 76354->76147 76355->76153 76356->76157 76357->76165 76358->76174 76359->76179 76360->76182 76361->76187 76363 292f1c 2 API calls 76362->76363 76366 2a29fe 76363->76366 76365 2a1f7e 76365->76196 76395 2b1d73 5 API calls __EH_prolog 76365->76395 76426 291e40 free 76366->76426 76368 2a2ab3 __EH_prolog 76367->76368 76369 292e8a 2 API calls 76368->76369 76377 2a2b0f 76368->76377 76370 2a2af4 76369->76370 76427 2a2a61 malloc _CxxThrowException free _CxxThrowException memcpy 76370->76427 76371 2a22ad 76371->76227 76371->76230 76373 2a2b04 76428 291e40 free 76373->76428 76374 2a2bc6 76433 2b1d73 5 API calls __EH_prolog 76374->76433 76377->76371 76377->76374 76382 2a2b9f 76377->76382 76429 2a2cb4 48 API calls 2 library calls 76377->76429 76430 2a2bf5 8 API calls __EH_prolog 76377->76430 76431 2a2a61 malloc _CxxThrowException free _CxxThrowException memcpy 76377->76431 76378 2a2bd6 _CxxThrowException 76378->76371 76382->76371 76432 2b1d73 5 API calls __EH_prolog 76382->76432 76384 2a2bb8 _CxxThrowException 76384->76374 76391 2a3856 __EH_prolog 76385->76391 76386 292e04 malloc _CxxThrowException 76386->76391 76387 292fec 3 API calls 76387->76391 76388 2d04d2 5 API calls 76388->76391 76389 292f88 3 API calls 76389->76391 76391->76386 76391->76387 76391->76388 76391->76389 76392 291e40 free ctype 76391->76392 76393 2a3917 76391->76393 76434 2a3b76 malloc _CxxThrowException __EH_prolog ctype 76391->76434 76392->76391 76393->76237 76394->76194 76395->76199 76396->76206 76397->76209 76398->76212 76399->76213 76400->76220 76401->76218 76402->76225 76403->76235 76404->76271 76405->76271 76406->76280 76407->76267 76408->76273 76409->76279 76410->76286 76411->76292 76412->76298 76413->76300 76414->76308 76415->76302 76416->76247 76417->76249 76418->76268 76419->76283 76420->76294 76421->76297 76422->76293 76423->76264 76424->76251 76425->76258 76426->76365 76427->76373 76428->76377 76429->76377 76430->76377 76431->76377 76432->76384 76433->76378 76434->76391 76436 2b7ef7 76435->76436 76437 2b7f14 76435->76437 76436->76437 76438 2b7193 free 76436->76438 76476 291e40 free 76436->76476 76437->76322 76438->76436 76441 292e04 2 API calls 76440->76441 76442 2b7103 76441->76442 76442->76322 76444 2b7a4a __EH_prolog 76443->76444 76477 29361b 6 API calls 2 library calls 76444->76477 76446 2b7a78 76478 29361b 6 API calls 2 library calls 76446->76478 76448 2b7b20 76480 2c2db9 free ctype 76448->76480 76450 292e04 malloc _CxxThrowException 76460 2b7a83 76450->76460 76451 2b7b2b 76481 2c2db9 free ctype 76451->76481 76453 2b7b37 76453->76322 76454 292fec 3 API calls 76454->76460 76455 2d04d2 5 API calls 76455->76460 76456 292fec 3 API calls 76457 2b7aca wcscmp 76456->76457 76457->76460 76459 291e40 free ctype 76459->76460 76460->76448 76460->76450 76460->76454 76460->76455 76460->76456 76460->76459 76479 2b7955 malloc _CxxThrowException __EH_prolog ctype 76460->76479 76461->76322 76463 2d04d2 5 API calls 76462->76463 76464 2a12ad 76463->76464 76465 291e0c ctype 2 API calls 76464->76465 76466 2a12b4 76465->76466 76466->76322 76467->76322 76469 2b719d __EH_prolog 76468->76469 76482 2c2db9 free ctype 76469->76482 76471 2b71b3 76483 2b71d5 free __EH_prolog ctype 76471->76483 76473 2b71bf 76484 291e40 free 76473->76484 76475 2b71c7 76475->76322 76476->76436 76477->76446 76478->76460 76479->76460 76480->76451 76481->76453 76482->76471 76483->76473 76484->76475 76485 316ba3 VirtualFree 76486 327da0 WaitForSingleObject 76487 327dc1 76486->76487 76488 327dbb GetLastError 76486->76488 76489 327dce CloseHandle 76487->76489 76490 327ddf 76487->76490 76488->76487 76489->76490 76491 327dd9 GetLastError 76489->76491 76491->76490 76492 29c3bd 76493 29c3db 76492->76493 76494 29c3ca 76492->76494 76494->76493 76496 291e40 free 76494->76496 76496->76493 76497 2c5475 76498 292fec 3 API calls 76497->76498 76499 2c54b4 76498->76499 76500 2cc911 24 API calls 76499->76500 76501 2c54bb 76500->76501 76502 2cadb7 76503 2cadc1 __EH_prolog 76502->76503 76504 2926dd 2 API calls 76503->76504 76505 2cae1d 76504->76505 76506 292e04 2 API calls 76505->76506 76507 2cae38 76506->76507 76508 292e04 2 API calls 76507->76508 76509 2cae44 76508->76509 76510 292e04 2 API calls 76509->76510 76511 2cae68 76510->76511 76512 2cad29 2 API calls 76511->76512 76513 2cae85 76512->76513 76518 2caf2d 76513->76518 76515 2cae94 76516 292e04 2 API calls 76515->76516 76517 2caeb2 76516->76517 76519 2caf37 __EH_prolog 76518->76519 76530 2a34f4 malloc _CxxThrowException __EH_prolog 76519->76530 76521 2cafac 76522 292e04 2 API calls 76521->76522 76523 2cafbb 76522->76523 76524 292e04 2 API calls 76523->76524 76525 2cafca 76524->76525 76526 292e04 2 API calls 76525->76526 76527 2cafd9 76526->76527 76528 292e04 2 API calls 76527->76528 76529 2cafe8 76528->76529 76529->76515 76530->76521 76531 2d8eb1 76536 2d8ed1 76531->76536 76535 2d8ec9 76537 2d8edb __EH_prolog 76536->76537 76545 2d9267 76537->76545 76541 2d8efd 76550 2ce5f1 free ctype 76541->76550 76543 2d8eb9 76543->76535 76544 291e40 free 76543->76544 76544->76535 76546 2d9271 __EH_prolog 76545->76546 76551 291e40 free 76546->76551 76548 2d8ef1 76549 2d922b free CloseHandle GetLastError ctype 76548->76549 76549->76541 76550->76543 76551->76548 76553 3169d0 76554 3169d4 76553->76554 76555 3169d7 malloc 76553->76555 76556 2bd948 76586 2bdac7 76556->76586 76558 2bd94f 76559 292e04 2 API calls 76558->76559 76560 2bd97b 76559->76560 76561 292e04 2 API calls 76560->76561 76562 2bd987 76561->76562 76565 2bd9e7 76562->76565 76594 296404 76562->76594 76567 2bda0f 76565->76567 76584 2bda36 76565->76584 76619 291e40 free 76567->76619 76569 2bda94 76623 291e40 free 76569->76623 76571 2bd9bf 76617 291e40 free 76571->76617 76572 2bda17 76620 291e40 free 76572->76620 76575 292da9 2 API calls 76575->76584 76577 2bd9c7 76618 291e40 free 76577->76618 76578 2bda9c 76624 291e40 free 76578->76624 76581 2d04d2 5 API calls 76581->76584 76582 2bd9cf 76584->76569 76584->76575 76584->76581 76621 291524 malloc _CxxThrowException __EH_prolog ctype 76584->76621 76622 291e40 free 76584->76622 76587 2bdad1 __EH_prolog 76586->76587 76588 292e04 2 API calls 76587->76588 76589 2bdb33 76588->76589 76590 292e04 2 API calls 76589->76590 76591 2bdb3f 76590->76591 76592 292e04 2 API calls 76591->76592 76593 2bdb55 76592->76593 76593->76558 76595 29631f 9 API calls 76594->76595 76596 296414 76595->76596 76597 296423 76596->76597 76598 292f88 3 API calls 76596->76598 76599 292f88 3 API calls 76597->76599 76598->76597 76600 29643d 76599->76600 76601 2a7e5a 76600->76601 76602 2a7e64 __EH_prolog 76601->76602 76625 2a8179 76602->76625 76605 2b7ebb free 76606 2a7e7f 76605->76606 76607 292fec 3 API calls 76606->76607 76608 2a7e9a 76607->76608 76609 292da9 2 API calls 76608->76609 76610 2a7ea7 76609->76610 76611 296c72 44 API calls 76610->76611 76612 2a7eb7 76611->76612 76630 291e40 free 76612->76630 76614 2a7ed8 76614->76565 76614->76571 76615 2a7ecb 76615->76614 76631 29757d GetLastError 76615->76631 76617->76577 76618->76582 76619->76572 76620->76582 76621->76584 76622->76584 76623->76578 76624->76582 76628 2a8906 76625->76628 76626 2a7e77 76626->76605 76628->76626 76632 2a8804 free ctype 76628->76632 76633 291e40 free 76628->76633 76630->76615 76631->76614 76632->76628 76633->76628 76634 2bd3c2 76635 2bd3e9 76634->76635 76636 29965d VariantClear 76635->76636 76637 2bd42a 76636->76637 76638 2bd883 2 API calls 76637->76638 76639 2bd4b1 76638->76639 76725 2b8d4a 76639->76725 76642 2b8b05 VariantClear 76644 2bd4e3 76642->76644 76643 2b2a72 2 API calls 76645 2bd54c 76643->76645 76644->76643 76646 292fec 3 API calls 76645->76646 76647 2bd594 76646->76647 76648 2bd5cd 76647->76648 76649 2bd742 76647->76649 76650 2bd7d9 76648->76650 76742 2b9317 76648->76742 76757 2bcd49 malloc _CxxThrowException free 76649->76757 76760 291e40 free 76650->76760 76654 2bd754 76657 292fec 3 API calls 76654->76657 76655 2bd7e1 76761 291e40 free 76655->76761 76660 2bd763 76657->76660 76659 2bd5f1 76663 2d04d2 5 API calls 76659->76663 76758 291e40 free 76660->76758 76662 2bd7e9 76665 2b326b free 76662->76665 76666 2bd5f9 76663->76666 76664 2bd76b 76759 291e40 free 76664->76759 76677 2bd69a 76665->76677 76748 2be332 76666->76748 76669 2bd773 76671 2b326b free 76669->76671 76671->76677 76673 2bd610 76755 291e40 free 76673->76755 76675 2bd618 76676 2b326b free 76675->76676 76678 2bd2a8 76676->76678 76678->76677 76700 2bd883 76678->76700 76681 292fec 3 API calls 76682 2bd361 76681->76682 76683 292fec 3 API calls 76682->76683 76684 2bd36d 76683->76684 76712 2bd0e1 76684->76712 76686 2bd380 76687 2bd38a 76686->76687 76688 2bd665 76686->76688 76690 2d04d2 5 API calls 76687->76690 76689 2bd68b 76688->76689 76756 2bcd49 malloc _CxxThrowException free 76688->76756 76692 2b326b free 76689->76692 76693 2bd392 76690->76693 76692->76677 76695 2be332 2 API calls 76693->76695 76694 2bd67c 76696 292fec 3 API calls 76694->76696 76697 2bd3a1 76695->76697 76696->76689 76698 2b326b free 76697->76698 76699 2bd3b0 76698->76699 76701 2bd88d __EH_prolog 76700->76701 76702 292e04 2 API calls 76701->76702 76703 2bd8c6 76702->76703 76704 292e04 2 API calls 76703->76704 76705 2bd8d2 76704->76705 76706 292e04 2 API calls 76705->76706 76707 2bd8de 76706->76707 76708 2b2b63 2 API calls 76707->76708 76709 2bd8fa 76708->76709 76710 2b2b63 2 API calls 76709->76710 76711 2bd34f 76710->76711 76711->76681 76713 2bd0eb __EH_prolog 76712->76713 76714 2bd10b 76713->76714 76715 2bd138 76713->76715 76716 291e0c ctype 2 API calls 76714->76716 76717 291e0c ctype 2 API calls 76715->76717 76718 2bd112 76715->76718 76716->76718 76719 2bd14b 76717->76719 76718->76686 76720 292fec 3 API calls 76719->76720 76721 2bd17b 76720->76721 76762 297b41 28 API calls 76721->76762 76723 2bd18a 76723->76718 76763 29757d GetLastError 76723->76763 76731 2b8d54 __EH_prolog 76725->76731 76726 2b8e09 76728 29965d VariantClear 76726->76728 76727 2b8e15 76729 2b8e2d 76727->76729 76730 2b8e5e 76727->76730 76732 2b8e21 76727->76732 76739 2b8e11 76728->76739 76729->76730 76737 2b8e2b 76729->76737 76733 29965d VariantClear 76730->76733 76740 2b8da4 76731->76740 76764 292b55 malloc _CxxThrowException free _CxxThrowException ctype 76731->76764 76765 293097 malloc _CxxThrowException free SysStringLen ctype 76732->76765 76733->76739 76735 29965d VariantClear 76738 2b8e47 76735->76738 76737->76735 76738->76739 76766 2b8e7c 6 API calls __EH_prolog 76738->76766 76739->76642 76740->76726 76740->76727 76740->76739 76744 2b9321 __EH_prolog 76742->76744 76743 29965d VariantClear 76745 2b93d0 76743->76745 76747 2b9360 76744->76747 76767 299686 VariantClear 76744->76767 76745->76650 76745->76659 76747->76743 76749 2be33c __EH_prolog 76748->76749 76750 291e0c ctype 2 API calls 76749->76750 76751 2be34a 76750->76751 76752 2bd608 76751->76752 76768 2be3d1 malloc _CxxThrowException __EH_prolog 76751->76768 76754 291e40 free 76752->76754 76754->76673 76755->76675 76756->76694 76757->76654 76758->76664 76759->76669 76760->76655 76761->76662 76762->76723 76763->76718 76764->76740 76765->76737 76766->76739 76767->76747 76768->76752 76769 29b144 76770 29b153 76769->76770 76772 29b159 76769->76772 76771 2a11b4 107 API calls 76770->76771 76771->76772 76773 2d0343 76778 2d035f 76773->76778 76777 2d0358 76779 2d0369 __EH_prolog 76778->76779 76795 2a139e 76779->76795 76784 2d0143 ctype free 76785 2d039a 76784->76785 76805 291e40 free 76785->76805 76787 2d03a2 76806 291e40 free 76787->76806 76789 2d03aa 76807 2d03d8 76789->76807 76794 291e40 free 76794->76777 76796 2a13ae 76795->76796 76798 2a13b3 76795->76798 76823 327ea0 SetEvent GetLastError 76796->76823 76799 2d01c4 76798->76799 76800 2d01ce __EH_prolog 76799->76800 76803 2d0203 76800->76803 76825 291e40 free 76800->76825 76802 2d020b 76802->76784 76824 291e40 free 76803->76824 76805->76787 76806->76789 76808 2d03e2 __EH_prolog 76807->76808 76809 2a139e ctype 2 API calls 76808->76809 76810 2d03fb 76809->76810 76826 327d50 76810->76826 76812 2d0403 76813 327d50 ctype 2 API calls 76812->76813 76814 2d040b 76813->76814 76815 327d50 ctype 2 API calls 76814->76815 76816 2d03b7 76815->76816 76817 2d004a 76816->76817 76818 2d0054 __EH_prolog 76817->76818 76832 291e40 free 76818->76832 76820 2d0067 76833 291e40 free 76820->76833 76822 2d006f 76822->76777 76822->76794 76823->76798 76824->76802 76825->76800 76827 327d7b 76826->76827 76828 327d59 CloseHandle 76826->76828 76827->76812 76829 327d64 GetLastError 76828->76829 76830 327d75 76828->76830 76829->76827 76831 327d6e 76829->76831 76830->76827 76831->76812 76832->76820 76833->76822 76834 2ba7c5 76851 2ba7e9 76834->76851 76884 2ba96b 76834->76884 76835 2bade3 76939 291e40 free 76835->76939 76837 2ba952 76837->76884 76920 2be0b0 6 API calls 76837->76920 76838 2badeb 76940 291e40 free 76838->76940 76842 2bac1e 76926 291e40 free 76842->76926 76843 2bae99 76845 291e0c ctype 2 API calls 76843->76845 76844 2d04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76848 2badf3 76844->76848 76849 2baea9 memset memset 76845->76849 76848->76843 76848->76844 76852 2baedd 76849->76852 76850 2bac26 76927 291e40 free 76850->76927 76851->76837 76859 2d04d2 5 API calls 76851->76859 76919 2be0b0 6 API calls 76851->76919 76941 291e40 free 76852->76941 76857 2baee5 76942 291e40 free 76857->76942 76859->76851 76860 2baef0 76943 291e40 free 76860->76943 76864 2bc430 76945 291e40 free 76864->76945 76865 2bac2e 76944 291e40 free 76865->76944 76867 2bac6c 76928 291e40 free 76867->76928 76868 2bc438 76946 291e40 free 76868->76946 76872 2bc443 76947 291e40 free 76872->76947 76873 2bac85 76929 291e40 free 76873->76929 76876 2bc44e 76948 291e40 free 76876->76948 76878 2bc459 76880 2bad88 76936 2b8125 free ctype 76880->76936 76884->76835 76884->76842 76884->76867 76884->76880 76885 2bad17 76884->76885 76887 2bacbc 76884->76887 76901 2a101c 76884->76901 76904 2b98f2 76884->76904 76910 2bcc6f 76884->76910 76921 2b9531 5 API calls __EH_prolog 76884->76921 76922 2b80c1 malloc _CxxThrowException __EH_prolog 76884->76922 76923 2bc820 5 API calls 2 library calls 76884->76923 76924 2b814d 6 API calls 76884->76924 76925 2b8125 free ctype 76884->76925 76933 2b8125 free ctype 76885->76933 76886 2bad93 76937 291e40 free 76886->76937 76930 2b8125 free ctype 76887->76930 76891 2badac 76938 291e40 free 76891->76938 76892 2bacc7 76931 291e40 free 76892->76931 76893 2bad3c 76934 291e40 free 76893->76934 76897 2bad55 76935 291e40 free 76897->76935 76898 2bace0 76932 291e40 free 76898->76932 76903 29b95a 6 API calls 76901->76903 76902 2a1028 76902->76884 76903->76902 76905 2b98fc __EH_prolog 76904->76905 76949 2b9987 76905->76949 76907 2b9970 76907->76884 76908 2b9911 76908->76907 76953 2bef8d 12 API calls 2 library calls 76908->76953 76993 2d5505 76910->76993 76997 2dcf91 76910->76997 77005 2df445 76910->77005 76911 2bcc8b 76915 2bcccb 76911->76915 77011 2b979e VariantClear __EH_prolog 76911->77011 76913 2bccb1 76913->76915 77012 2bcae9 VariantClear 76913->77012 76915->76884 76919->76851 76920->76884 76921->76884 76922->76884 76923->76884 76924->76884 76925->76884 76926->76850 76927->76865 76928->76873 76929->76865 76930->76892 76931->76898 76932->76865 76933->76893 76934->76897 76935->76865 76936->76886 76937->76891 76938->76865 76939->76838 76940->76848 76941->76857 76942->76860 76943->76865 76944->76864 76945->76868 76946->76872 76947->76876 76948->76878 76950 2b9991 __EH_prolog 76949->76950 76954 2e80aa 76950->76954 76951 2b99a8 76951->76908 76953->76907 76955 2e80b4 __EH_prolog 76954->76955 76956 291e0c ctype 2 API calls 76955->76956 76957 2e80bf 76956->76957 76958 2e80d3 76957->76958 76960 2dbdb5 76957->76960 76958->76951 76961 2dbdbf __EH_prolog 76960->76961 76966 2dbe69 76961->76966 76963 2dbdef 76964 292e04 2 API calls 76963->76964 76965 2dbe16 76964->76965 76965->76958 76967 2dbe73 __EH_prolog 76966->76967 76970 2d5e2b 76967->76970 76969 2dbe7f 76969->76963 76971 2d5e35 __EH_prolog 76970->76971 76976 2d08b6 76971->76976 76973 2d5e41 76981 2adfc9 malloc _CxxThrowException __EH_prolog 76973->76981 76975 2d5e57 76975->76969 76982 299c60 76976->76982 76978 2d08c4 76987 299c8f GetModuleHandleA GetProcAddress 76978->76987 76980 2d08f3 __aulldiv 76980->76973 76981->76975 76992 299c4d GetCurrentProcess GetProcessAffinityMask 76982->76992 76984 299c6e 76985 299c80 GetSystemInfo 76984->76985 76986 299c79 76984->76986 76985->76978 76986->76978 76988 299cef GlobalMemoryStatus 76987->76988 76989 299cc4 GlobalMemoryStatusEx 76987->76989 76990 299d08 76988->76990 76989->76988 76991 299cce 76989->76991 76990->76991 76991->76980 76992->76984 76994 2d550f __EH_prolog 76993->76994 77013 2d4e8a 76994->77013 76998 2dcf9b __EH_prolog 76997->76998 76999 2df445 14 API calls 76998->76999 77000 2dd018 76999->77000 77004 2dd01f 77000->77004 77229 2e1511 77000->77229 77002 2dd08b 77002->77004 77235 2e2c5d 11 API calls 2 library calls 77002->77235 77004->76911 77006 2df455 77005->77006 77361 2a1092 77006->77361 77009 2df478 77009->76911 77011->76913 77012->76915 77014 2d4e94 __EH_prolog 77013->77014 77015 292e04 2 API calls 77014->77015 77062 2d4f1d 77014->77062 77016 2d4ed7 77015->77016 77145 2a7fc5 77016->77145 77018 2d4f0a 77020 29965d VariantClear 77018->77020 77019 2d4f37 77021 2d4f41 77019->77021 77022 2d4f63 77019->77022 77023 2d4f15 77020->77023 77024 29965d VariantClear 77021->77024 77025 292f88 3 API calls 77022->77025 77166 291e40 free 77023->77166 77028 2d4f4c 77024->77028 77026 2d4f71 77025->77026 77029 29965d VariantClear 77026->77029 77167 291e40 free 77028->77167 77031 2d4f80 77029->77031 77168 2a5bcf malloc _CxxThrowException 77031->77168 77033 2d4f9a 77034 292e47 2 API calls 77033->77034 77035 2d4fad 77034->77035 77036 292f1c 2 API calls 77035->77036 77037 2d4fbd 77036->77037 77038 292e04 2 API calls 77037->77038 77039 2d4fd1 77038->77039 77040 292e04 2 API calls 77039->77040 77047 2d4fdd 77040->77047 77041 2d5404 77207 291e40 free 77041->77207 77043 2d540c 77208 291e40 free 77043->77208 77045 2d5414 77209 291e40 free 77045->77209 77047->77041 77169 2a5bcf malloc _CxxThrowException 77047->77169 77049 2d5099 77051 292da9 2 API calls 77049->77051 77050 2d541c 77210 291e40 free 77050->77210 77053 2d50a9 77051->77053 77055 292fec 3 API calls 77053->77055 77054 2d5424 77211 291e40 free 77054->77211 77057 2d50b6 77055->77057 77170 291e40 free 77057->77170 77058 2d542c 77212 291e40 free 77058->77212 77061 2d50be 77171 291e40 free 77061->77171 77062->76911 77064 2d50cd 77065 292f88 3 API calls 77064->77065 77066 2d50e3 77065->77066 77067 2d50f1 77066->77067 77068 2d5100 77066->77068 77069 2930ea 3 API calls 77067->77069 77172 293044 malloc _CxxThrowException free ctype 77068->77172 77071 2d50fe 77069->77071 77173 2a1029 6 API calls 77071->77173 77073 2d511a 77074 2d516b 77073->77074 77075 2d5120 77073->77075 77180 2a089e malloc _CxxThrowException free _CxxThrowException memcpy 77074->77180 77174 291e40 free 77075->77174 77078 2d5187 77081 2d04d2 5 API calls 77078->77081 77079 2d5128 77175 291e40 free 77079->77175 77083 2d51ba 77081->77083 77082 2d5130 77176 291e40 free 77082->77176 77181 2d0516 malloc _CxxThrowException ctype 77083->77181 77085 2d5138 77177 291e40 free 77085->77177 77088 2d51c5 77093 2d522d 77088->77093 77094 2d51f5 77088->77094 77089 2d5140 77178 291e40 free 77089->77178 77091 2d5148 77179 291e40 free 77091->77179 77095 292e04 2 API calls 77093->77095 77182 291e40 free 77094->77182 77142 2d5235 77095->77142 77097 2d51fd 77183 291e40 free 77097->77183 77100 2d5205 77184 291e40 free 77100->77184 77101 2d532e 77193 291e40 free 77101->77193 77104 2d520d 77185 291e40 free 77104->77185 77106 2d5347 77106->77041 77108 2d5358 77106->77108 77107 2d5215 77186 291e40 free 77107->77186 77194 291e40 free 77108->77194 77111 2d53a3 77200 291e40 free 77111->77200 77112 2d521d 77187 291e40 free 77112->77187 77113 2d5360 77195 291e40 free 77113->77195 77118 2d5368 77196 291e40 free 77118->77196 77120 2d53bc 77201 291e40 free 77120->77201 77121 2d5370 77197 291e40 free 77121->77197 77125 2d53c4 77202 291e40 free 77125->77202 77126 2d5378 77198 291e40 free 77126->77198 77128 2d04d2 5 API calls 77128->77142 77130 2d53cc 77203 291e40 free 77130->77203 77131 2d5380 77199 291e40 free 77131->77199 77135 2d53d4 77204 291e40 free 77135->77204 77137 2d53dc 77205 291e40 free 77137->77205 77139 2d53e4 77206 291e40 free 77139->77206 77142->77101 77142->77111 77142->77128 77143 292e04 2 API calls 77142->77143 77188 2d545c 5 API calls 2 library calls 77142->77188 77189 2a1029 6 API calls 77142->77189 77190 2a089e malloc _CxxThrowException free _CxxThrowException memcpy 77142->77190 77191 2d0516 malloc _CxxThrowException ctype 77142->77191 77192 291e40 free 77142->77192 77143->77142 77146 2a7fcf __EH_prolog 77145->77146 77147 2a7ff4 77146->77147 77149 2a805c 77146->77149 77150 2a8061 77146->77150 77151 2a8019 77146->77151 77159 2a800a 77147->77159 77213 29950d 77147->77213 77221 299630 VariantClear 77149->77221 77150->77149 77163 2a8025 77150->77163 77151->77147 77152 2a801e 77151->77152 77155 2a8042 77152->77155 77156 2a8022 77152->77156 77154 2a80b8 77158 29965d VariantClear 77154->77158 77219 299597 VariantClear 77155->77219 77160 2a8032 77156->77160 77156->77163 77162 2a80c0 77158->77162 77222 299736 VariantClear 77159->77222 77218 299604 VariantClear 77160->77218 77162->77018 77162->77019 77163->77159 77220 2995df VariantClear 77163->77220 77166->77062 77167->77062 77168->77033 77169->77049 77170->77061 77171->77064 77172->77071 77173->77073 77174->77079 77175->77082 77176->77085 77177->77089 77178->77091 77179->77062 77180->77078 77181->77088 77182->77097 77183->77100 77184->77104 77185->77107 77186->77112 77187->77062 77188->77142 77189->77142 77190->77142 77191->77142 77192->77142 77193->77106 77194->77113 77195->77118 77196->77121 77197->77126 77198->77131 77199->77062 77200->77120 77201->77125 77202->77130 77203->77135 77204->77137 77205->77139 77206->77062 77207->77043 77208->77045 77209->77050 77210->77054 77211->77058 77212->77062 77223 299767 77213->77223 77215 299518 SysAllocStringLen 77216 299539 _CxxThrowException 77215->77216 77217 29954f 77215->77217 77216->77217 77217->77159 77218->77159 77219->77159 77220->77159 77221->77159 77222->77154 77224 299779 77223->77224 77225 299770 77223->77225 77228 299686 VariantClear 77224->77228 77225->77215 77227 299780 77227->77215 77228->77227 77230 2e151b __EH_prolog 77229->77230 77236 2e10d3 77230->77236 77233 2e1589 77233->77002 77234 2e1552 _CxxThrowException 77234->77002 77235->77004 77237 2e10dd __EH_prolog 77236->77237 77238 2dd1b7 free 77237->77238 77243 2e10f2 77238->77243 77239 2e12ef 77239->77233 77239->77234 77240 2e11f4 77240->77239 77267 29b95a 6 API calls 77240->77267 77241 2e139e 77241->77239 77242 2e13c4 77241->77242 77244 291e0c ctype 2 API calls 77241->77244 77268 2a1168 77242->77268 77243->77239 77243->77240 77246 2a1168 10 API calls 77243->77246 77244->77242 77246->77240 77248 2e13da 77250 2e13f9 77248->77250 77260 2e13de 77248->77260 77306 2def67 _CxxThrowException 77248->77306 77271 2df047 77250->77271 77253 2e14ba 77310 2e0943 50 API calls 2 library calls 77253->77310 77255 2e1450 77275 2e06ae 77255->77275 77257 2e14e7 77311 2c2db9 free ctype 77257->77311 77312 291e40 free 77260->77312 77263 2e148e 77264 2df047 _CxxThrowException 77263->77264 77265 2e14ac 77264->77265 77265->77253 77309 2def67 _CxxThrowException 77265->77309 77267->77241 77269 2a111c 10 API calls 77268->77269 77270 2a117b 77269->77270 77270->77248 77272 2df063 77271->77272 77273 2df072 77272->77273 77313 2def67 _CxxThrowException 77272->77313 77273->77253 77273->77255 77307 2def67 _CxxThrowException 77273->77307 77276 2e06b8 __EH_prolog 77275->77276 77314 2e03f4 77276->77314 77278 2e0877 77279 2db8dc ctype free 77278->77279 77281 2e08a6 77279->77281 77280 2a12a5 5 API calls 77304 2e0715 77280->77304 77344 291e40 free 77281->77344 77283 2e08e3 _CxxThrowException 77285 2e08f7 77283->77285 77284 2e08ae 77345 291e40 free 77284->77345 77288 2db8dc ctype free 77285->77288 77286 29429a 3 API calls 77286->77304 77290 2e0914 77288->77290 77289 2e08b6 77346 291e40 free 77289->77346 77348 291e40 free 77290->77348 77291 291e0c ctype 2 API calls 77291->77304 77294 2e08be 77347 2dc149 free ctype 77294->77347 77295 2e091c 77349 291e40 free 77295->77349 77298 2e08d0 77298->77257 77298->77263 77308 2def67 _CxxThrowException 77298->77308 77299 2e0924 77350 291e40 free 77299->77350 77301 2d81ec 29 API calls 77301->77304 77302 2e092c 77351 2dc149 free ctype 77302->77351 77304->77278 77304->77280 77304->77283 77304->77285 77304->77286 77304->77291 77304->77301 77305 2def67 _CxxThrowException 77304->77305 77305->77304 77306->77250 77307->77255 77308->77263 77309->77253 77310->77257 77311->77260 77312->77239 77313->77273 77315 2df047 _CxxThrowException 77314->77315 77316 2e0407 77315->77316 77317 2e0475 77316->77317 77319 2df047 _CxxThrowException 77316->77319 77318 2e049a 77317->77318 77355 2dfa3f 22 API calls 2 library calls 77317->77355 77320 2e04b8 77318->77320 77356 2e159a malloc _CxxThrowException free ctype 77318->77356 77321 2e0421 77319->77321 77323 2e04e8 77320->77323 77324 2e04cd 77320->77324 77325 2e043e 77321->77325 77352 2def67 _CxxThrowException 77321->77352 77358 2e7c4a malloc _CxxThrowException free ctype 77323->77358 77357 2dfff0 9 API calls 2 library calls 77324->77357 77353 2df93c 7 API calls 2 library calls 77325->77353 77326 2e0492 77330 2df047 _CxxThrowException 77326->77330 77330->77318 77332 2e04db 77336 2df047 _CxxThrowException 77332->77336 77334 2e04e3 77339 2e054a 77334->77339 77360 2def67 _CxxThrowException 77334->77360 77335 2e0446 77337 2e046d 77335->77337 77354 2def67 _CxxThrowException 77335->77354 77336->77334 77338 2df047 _CxxThrowException 77337->77338 77338->77317 77339->77304 77340 2e04f3 77340->77334 77359 2a089e malloc _CxxThrowException free _CxxThrowException memcpy 77340->77359 77344->77284 77345->77289 77346->77294 77347->77298 77348->77295 77349->77299 77350->77302 77351->77298 77352->77325 77353->77335 77354->77337 77355->77326 77356->77320 77357->77332 77358->77340 77359->77340 77360->77339 77363 29b95a 6 API calls 77361->77363 77362 2a10aa 77362->77009 77364 2df1b2 77362->77364 77363->77362 77365 2df1bc __EH_prolog 77364->77365 77366 2a1168 10 API calls 77365->77366 77367 2df1d3 77366->77367 77368 2df21c _CxxThrowException 77367->77368 77369 2df231 memcpy 77367->77369 77370 2df1e6 77367->77370 77368->77369 77372 2df24c 77369->77372 77370->77009 77371 2df2f0 memmove 77371->77372 77372->77370 77372->77371 77373 2df31a memcpy 77372->77373 77373->77370 77374 29b5d9 77375 29b5f7 77374->77375 77376 29b5e6 77374->77376 77376->77375 77380 29b5fe 77376->77380 77381 29b608 __EH_prolog 77380->77381 77387 316a40 VirtualFree 77381->77387 77383 29b63d 77384 29764c CloseHandle 77383->77384 77385 29b5f1 77384->77385 77386 291e40 free 77385->77386 77386->77375 77387->77383 77388 2a1ade 77389 2a1ae8 __EH_prolog 77388->77389 77439 2913f5 77389->77439 77392 2a1b32 6 API calls 77394 2a1b8d 77392->77394 77403 2a1bf8 77394->77403 77457 2a1ea4 9 API calls 77394->77457 77395 2a1b24 _CxxThrowException 77395->77392 77397 2a1bdf 77398 2927bb 3 API calls 77397->77398 77399 2a1bec 77398->77399 77458 291e40 free 77399->77458 77401 2a1c89 77453 2a1eb9 77401->77453 77403->77401 77459 2b1d73 5 API calls __EH_prolog 77403->77459 77407 2a1cb2 _CxxThrowException 77407->77401 77440 2913ff __EH_prolog 77439->77440 77441 2b7ebb free 77440->77441 77442 29142b 77441->77442 77443 291438 77442->77443 77460 291212 free ctype 77442->77460 77445 291e0c ctype 2 API calls 77443->77445 77446 29144d 77445->77446 77447 2d04d2 5 API calls 77446->77447 77450 291507 77446->77450 77452 2914f4 77446->77452 77461 291265 5 API calls 2 library calls 77446->77461 77462 291524 malloc _CxxThrowException __EH_prolog ctype 77446->77462 77447->77446 77451 292fec 3 API calls 77450->77451 77451->77452 77452->77392 77456 2b1d73 5 API calls __EH_prolog 77452->77456 77463 299313 GetCurrentProcess OpenProcessToken 77453->77463 77456->77395 77457->77397 77458->77403 77459->77407 77460->77443 77461->77446 77462->77446 77464 29933a LookupPrivilegeValueW 77463->77464 77465 299390 77463->77465 77466 29934c AdjustTokenPrivileges 77464->77466 77467 299382 77464->77467 77466->77467 77469 299372 GetLastError 77466->77469 77468 299385 CloseHandle 77467->77468 77468->77465 77469->77468 77470 316bc6 77471 316bca 77470->77471 77472 316bcd 77470->77472 77472->77471 77473 316bd1 malloc 77472->77473 77473->77471 77474 2942d1 77475 2942bd 77474->77475 77476 2942c5 77475->77476 77477 291e0c ctype 2 API calls 77475->77477 77477->77476 77478 2cacd3 77479 2cace0 77478->77479 77483 2cacf1 77478->77483 77479->77483 77484 2cacf8 77479->77484 77486 2cc0b3 __EH_prolog 77484->77486 77485 2cc0ed 77493 291e40 free 77485->77493 77486->77485 77489 2b7193 free 77486->77489 77492 291e40 free 77486->77492 77488 2caceb 77491 291e40 free 77488->77491 77489->77486 77491->77483 77492->77486 77493->77488
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D81F1
                                          • Part of subcall function 002DF749: _CxxThrowException.MSVCRT(?,00344A58), ref: 002DF792
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionH_prologThrow
                                        • String ID:
                                        • API String ID: 461045715-3916222277
                                        • Opcode ID: f5eb9bc16dd0a186fb2ff8333e0b56490bf6c3380ad8ec858ce1a6728be53375
                                        • Instruction ID: b04394501e8d5d02efe58c34d719bb9f7c05cd010e9af2a51ab6231f2547d0a5
                                        • Opcode Fuzzy Hash: f5eb9bc16dd0a186fb2ff8333e0b56490bf6c3380ad8ec858ce1a6728be53375
                                        • Instruction Fuzzy Hash: C6928D3191024ADFDF15DFA8C894BAEBBB1BF18304F24409AE855AB391CB709D65CF61
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 0029686D
                                          • Part of subcall function 00296848: FindClose.KERNELBASE(00000000,?,00296880), ref: 00296853
                                        • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 002968A5
                                        • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 002968DE
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: Find$FileFirst$CloseH_prolog
                                        • String ID:
                                        • API String ID: 3371352514-0
                                        • Opcode ID: aaf9d6191cce2067f4f0ae2e2e8f6a123e5f1cd9b543bd3e1482c3061e021b1e
                                        • Instruction ID: d21c03bb9dc65ff90cfac893fe1c636d171f3b858027918756ee5d83b55c757f
                                        • Opcode Fuzzy Hash: aaf9d6191cce2067f4f0ae2e2e8f6a123e5f1cd9b543bd3e1482c3061e021b1e
                                        • Instruction Fuzzy Hash: BD11B13141020A9BCF10AFA4C8995FDB7B8EF10324F104629D9A157191DB318EA9DB40

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 2ca013-2ca01a 1 2ca37a-2ca544 call 2d04d2 call 291524 call 2d04d2 call 291524 call 291e0c 0->1 2 2ca020-2ca02d call 2a1ac8 0->2 61 2ca546-2ca54f call 2cb0fa 1->61 62 2ca551 1->62 8 2ca22e-2ca235 2->8 9 2ca033-2ca03a 2->9 10 2ca23b-2ca24d call 2cb4f6 8->10 11 2ca367-2ca375 call 2cb55f 8->11 13 2ca03c-2ca042 9->13 14 2ca054-2ca089 call 2c92d3 9->14 28 2ca24f-2ca253 10->28 29 2ca259-2ca2fb call 2b7ebb call 2927bb call 2926dd call 2b3d70 call 2cad99 call 2927bb 10->29 27 2cac23-2cac2a 11->27 13->14 18 2ca044-2ca04f call 2930ea 13->18 25 2ca099 14->25 26 2ca08b-2ca091 14->26 18->14 32 2ca09d-2ca0de call 292fec call 2cb369 25->32 26->25 31 2ca093-2ca097 26->31 33 2cac2c-2cac33 27->33 34 2cac3a-2cac66 call 2cb96d call 291e40 call 2b3247 27->34 28->29 93 2ca2fd 29->93 94 2ca303-2ca362 call 2cb6ab call 2c2db9 call 291e40 * 2 call 2cbff8 29->94 31->32 57 2ca0ea-2ca0fa 32->57 58 2ca0e0-2ca0e4 32->58 33->34 38 2cac35 33->38 71 2cac6e-2cacb5 call 291e40 call 2911c2 call 2cbe0c call 2c2db9 34->71 72 2cac68-2cac6a 34->72 44 2cac35 call 2cb988 38->44 44->34 63 2ca0fc-2ca102 57->63 64 2ca10d 57->64 58->57 68 2ca553-2ca55c 61->68 62->68 63->64 69 2ca104-2ca10b 63->69 70 2ca114-2ca19e call 292fec call 2b7ebb call 2cad99 64->70 76 2ca55e-2ca560 68->76 77 2ca564-2ca5c1 call 292fec call 2cb277 68->77 69->70 102 2ca1a2 call 2bf8e0 70->102 72->71 76->77 96 2ca5cd-2ca652 call 2cad06 call 2cbf3e call 2a3a29 call 292e04 call 2b4345 77->96 97 2ca5c3-2ca5c7 77->97 93->94 94->27 137 2ca654-2ca671 call 2b375c call 2cb96d 96->137 138 2ca676-2ca6c8 call 2b2096 96->138 97->96 106 2ca1a7-2ca1b1 102->106 110 2ca1c0-2ca1c9 106->110 111 2ca1b3-2ca1bb call 2cc7d7 106->111 116 2ca1cb 110->116 117 2ca1d1-2ca229 call 2cb6ab call 2c2db9 call 291e40 call 2cbfa4 call 2c940b 110->117 111->110 116->117 117->27 137->138 142 2ca6cd-2ca6d6 138->142 145 2ca6d8-2ca6dd call 2cc7d7 142->145 146 2ca6e2-2ca6e5 142->146 145->146 150 2ca72e-2ca73a 146->150 151 2ca6e7-2ca6ee 146->151 152 2ca73c-2ca74a call 291fa0 150->152 153 2ca79e-2ca7aa 150->153 154 2ca6f0-2ca71d call 291fa0 fputs call 291fa0 call 291fb3 call 291fa0 151->154 155 2ca722-2ca725 151->155 167 2ca74c-2ca753 152->167 168 2ca755-2ca799 fputs call 292201 call 291fa0 fputs call 292201 call 291fa0 152->168 159 2ca7ac-2ca7b2 153->159 160 2ca7d9-2ca7e5 153->160 154->155 155->150 156 2ca727 155->156 156->150 159->160 161 2ca7b4-2ca7d4 fputs call 292201 call 291fa0 159->161 163 2ca818-2ca81a 160->163 164 2ca7e7-2ca7ed 160->164 161->160 169 2ca899-2ca8a5 163->169 172 2ca81c-2ca82b 163->172 164->169 170 2ca7f3-2ca813 fputs call 292201 call 291fa0 164->170 167->153 167->168 168->153 176 2ca8e9-2ca8ed 169->176 177 2ca8a7-2ca8ad 169->177 170->163 179 2ca82d-2ca84c fputs call 292201 call 291fa0 172->179 180 2ca851-2ca85d 172->180 182 2ca8ef 176->182 183 2ca8f6-2ca8f8 176->183 177->182 187 2ca8af-2ca8c2 call 291fa0 177->187 179->180 180->169 181 2ca85f-2ca872 call 291fa0 180->181 181->169 206 2ca874-2ca894 fputs call 292201 call 291fa0 181->206 182->183 191 2ca8fe-2ca90a 183->191 192 2caaaf-2caaeb call 2b43b3 call 291e40 call 2cc104 call 2cad82 183->192 187->182 211 2ca8c4-2ca8e4 fputs call 292201 call 291fa0 187->211 200 2ca910-2ca91f 191->200 201 2caa73-2caa89 call 291fa0 191->201 247 2cac0b-2cac1e call 2c2db9 * 2 192->247 248 2caaf1-2caaf7 192->248 200->201 208 2ca925-2ca929 200->208 201->192 223 2caa8b-2caaaa fputs call 292201 call 291fa0 201->223 206->169 208->192 214 2ca92f-2ca93d 208->214 211->176 220 2ca93f-2ca964 fputs call 292201 call 291fa0 214->220 221 2ca96a-2ca971 214->221 220->221 230 2ca98f-2ca9a8 fputs call 292201 221->230 231 2ca973-2ca97a 221->231 223->192 239 2ca9ad-2ca9bd call 291fa0 230->239 231->230 236 2ca97c-2ca982 231->236 236->230 237 2ca984-2ca98d 236->237 237->230 242 2caa06-2caa1f fputs call 292201 237->242 239->242 252 2ca9bf-2caa01 fputs call 292201 call 291fa0 fputs call 292201 call 291fa0 239->252 251 2caa24-2caa29 call 291fa0 242->251 247->27 248->247 258 2caa2e-2caa4b fputs call 292201 251->258 252->242 262 2caa50-2caa5b call 291fa0 258->262 262->192 268 2caa5d-2caa71 call 291fa0 call 2c710e 262->268 268->192
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$ExceptionThrow
                                        • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&5$p&5$N
                                        • API String ID: 3665150552-2524762932
                                        • Opcode ID: 0c55b2d8f297afe0284f5a50b85e33d53647fb8872459ab11576f6b283794bc6
                                        • Instruction ID: b7e8cd7aaf539c4a9613ea49d663f2b2591807d0412c8e767b2379141edd1efc
                                        • Opcode Fuzzy Hash: 0c55b2d8f297afe0284f5a50b85e33d53647fb8872459ab11576f6b283794bc6
                                        • Instruction Fuzzy Hash: 9E527B3191025DDFCF26DBA4C885BEDBBB5AF44304F14429EE44A672A1DB706EA8CF11

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 274 2ca42c-2ca433 275 2ca449-2ca4df call 2c545d call 292e04 call 2b1858 call 291e40 274->275 276 2ca435-2ca444 fputs call 291fa0 274->276 286 2ca4ee-2ca4f1 275->286 287 2ca4e1-2ca4e9 call 2cc7d7 275->287 276->275 289 2ca50e-2ca520 call 2cc73e 286->289 290 2ca4f3-2ca4fa 286->290 287->286 295 2cac0b-2cac2a call 2c2db9 * 2 289->295 296 2ca526-2ca544 call 291e0c 289->296 290->289 291 2ca4fc-2ca509 call 2c57fb 290->291 291->289 306 2cac2c-2cac33 295->306 307 2cac3a-2cac66 call 2cb96d call 291e40 call 2b3247 295->307 304 2ca546-2ca54f call 2cb0fa 296->304 305 2ca551 296->305 309 2ca553-2ca55c 304->309 305->309 306->307 310 2cac35 call 2cb988 306->310 328 2cac6e-2cacb5 call 291e40 call 2911c2 call 2cbe0c call 2c2db9 307->328 329 2cac68-2cac6a 307->329 313 2ca55e-2ca560 309->313 314 2ca564-2ca5c1 call 292fec call 2cb277 309->314 310->307 313->314 324 2ca5cd-2ca652 call 2cad06 call 2cbf3e call 2a3a29 call 292e04 call 2b4345 314->324 325 2ca5c3-2ca5c7 314->325 348 2ca654-2ca671 call 2b375c call 2cb96d 324->348 349 2ca676-2ca6d6 call 2b2096 324->349 325->324 329->328 348->349 354 2ca6d8-2ca6dd call 2cc7d7 349->354 355 2ca6e2-2ca6e5 349->355 354->355 358 2ca72e-2ca73a 355->358 359 2ca6e7-2ca6ee 355->359 360 2ca73c-2ca74a call 291fa0 358->360 361 2ca79e-2ca7aa 358->361 362 2ca6f0-2ca71d call 291fa0 fputs call 291fa0 call 291fb3 call 291fa0 359->362 363 2ca722-2ca725 359->363 375 2ca74c-2ca753 360->375 376 2ca755-2ca799 fputs call 292201 call 291fa0 fputs call 292201 call 291fa0 360->376 367 2ca7ac-2ca7b2 361->367 368 2ca7d9-2ca7e5 361->368 362->363 363->358 364 2ca727 363->364 364->358 367->368 369 2ca7b4-2ca7d4 fputs call 292201 call 291fa0 367->369 371 2ca818-2ca81a 368->371 372 2ca7e7-2ca7ed 368->372 369->368 377 2ca899-2ca8a5 371->377 380 2ca81c-2ca82b 371->380 372->377 378 2ca7f3-2ca813 fputs call 292201 call 291fa0 372->378 375->361 375->376 376->361 384 2ca8e9-2ca8ed 377->384 385 2ca8a7-2ca8ad 377->385 378->371 387 2ca82d-2ca84c fputs call 292201 call 291fa0 380->387 388 2ca851-2ca85d 380->388 390 2ca8ef 384->390 391 2ca8f6-2ca8f8 384->391 385->390 395 2ca8af-2ca8c2 call 291fa0 385->395 387->388 388->377 389 2ca85f-2ca872 call 291fa0 388->389 389->377 414 2ca874-2ca894 fputs call 292201 call 291fa0 389->414 390->391 399 2ca8fe-2ca90a 391->399 400 2caaaf-2caaeb call 2b43b3 call 291e40 call 2cc104 call 2cad82 391->400 395->390 419 2ca8c4-2ca8e4 fputs call 292201 call 291fa0 395->419 408 2ca910-2ca91f 399->408 409 2caa73-2caa89 call 291fa0 399->409 400->295 455 2caaf1-2caaf7 400->455 408->409 416 2ca925-2ca929 408->416 409->400 431 2caa8b-2caaaa fputs call 292201 call 291fa0 409->431 414->377 416->400 422 2ca92f-2ca93d 416->422 419->384 428 2ca93f-2ca964 fputs call 292201 call 291fa0 422->428 429 2ca96a-2ca971 422->429 428->429 438 2ca98f-2ca9a8 fputs call 292201 429->438 439 2ca973-2ca97a 429->439 431->400 447 2ca9ad-2ca9bd call 291fa0 438->447 439->438 444 2ca97c-2ca982 439->444 444->438 445 2ca984-2ca98d 444->445 445->438 450 2caa06-2caa4b fputs call 292201 call 291fa0 fputs call 292201 445->450 447->450 458 2ca9bf-2caa01 fputs call 292201 call 291fa0 fputs call 292201 call 291fa0 447->458 466 2caa50-2caa5b call 291fa0 450->466 455->295 458->450 466->400 472 2caa5d-2caa71 call 291fa0 call 2c710e 466->472 472->400
                                        APIs
                                        • fputs.MSVCRT(Scanning the drive for archives:), ref: 002CA43E
                                          • Part of subcall function 00291FA0: fputc.MSVCRT ref: 00291FA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputcfputs
                                        • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&5$p&5$!"$N
                                        • API String ID: 269475090-166387570
                                        • Opcode ID: cb0396c204fc28f93a9d159ed330bcb201a4cd9eb213abeca4c2c20a21e12572
                                        • Instruction ID: 78049692120b9cd9eb79a2f24946f920c1a54198d1bc9e39afcf7c45e8233128
                                        • Opcode Fuzzy Hash: cb0396c204fc28f93a9d159ed330bcb201a4cd9eb213abeca4c2c20a21e12572
                                        • Instruction Fuzzy Hash: 09229D31920259DFDF26EBA4C846BEDFBB1AF44304F14419EE44A672A1DB706EA4CF11

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 777 2c8012-2c8032 call 32fb10 780 2c8038-2c806c fputs call 2c8341 777->780 781 2c8285 777->781 785 2c806e-2c8071 780->785 786 2c80c8-2c80cd 780->786 782 2c8287-2c8295 781->782 789 2c808b-2c808d 785->789 790 2c8073-2c8089 fputs call 291fa0 785->790 787 2c80cf-2c80d4 786->787 788 2c80d6-2c80df 786->788 791 2c80e2-2c8110 call 2c8341 call 2c8622 787->791 788->791 793 2c808f-2c8094 789->793 794 2c8096-2c809f 789->794 790->786 805 2c811e-2c812f call 2c8565 791->805 806 2c8112-2c8119 call 2c831f 791->806 795 2c80a2-2c80c7 call 292e47 call 2c85c6 call 291e40 793->795 794->795 795->786 805->782 812 2c8135-2c813f 805->812 806->805 813 2c814d-2c815b 812->813 814 2c8141-2c8148 call 2c82bb 812->814 813->782 817 2c8161-2c8164 813->817 814->813 818 2c81b6-2c81c0 817->818 819 2c8166-2c8186 817->819 820 2c8276-2c827f 818->820 821 2c81c6-2c81e1 fputs 818->821 824 2c818c-2c8196 call 2c8565 819->824 825 2c8298-2c829d 819->825 820->780 820->781 821->820 826 2c81e7-2c81fb 821->826 829 2c819b-2c819d 824->829 827 2c82b1-2c82b9 SysFreeString 825->827 830 2c81fd-2c821f 826->830 831 2c8273 826->831 827->782 829->825 832 2c81a3-2c81b4 SysFreeString 829->832 834 2c829f-2c82a1 830->834 835 2c8221-2c8245 830->835 831->820 832->818 832->819 836 2c82ae 834->836 838 2c8247-2c8271 call 2c84a7 call 29965d SysFreeString 835->838 839 2c82a3-2c82ab call 29965d 835->839 836->827 838->830 838->831 839->836
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002C8017
                                        • fputs.MSVCRT ref: 002C804D
                                          • Part of subcall function 002C8341: __EH_prolog.LIBCMT ref: 002C8346
                                          • Part of subcall function 002C8341: fputs.MSVCRT ref: 002C835B
                                          • Part of subcall function 002C8341: fputs.MSVCRT ref: 002C8364
                                        • fputs.MSVCRT ref: 002C807A
                                          • Part of subcall function 00291FA0: fputc.MSVCRT ref: 00291FA7
                                          • Part of subcall function 0029965D: VariantClear.OLEAUT32(?), ref: 0029967F
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C81AA
                                        • fputs.MSVCRT ref: 002C81CD
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C8267
                                        • SysFreeString.OLEAUT32(00000000), ref: 002C82B1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                        • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                        • API String ID: 2889736305-3797937567
                                        • Opcode ID: b3c171414e0517c8a4a6ca08c81729a1004cdf41dcab997c79aaa7cbef565752
                                        • Instruction ID: 00910b82e6f6d8edaadc09df4f9f5ed04a7f31710a32ca7ae9448ca641622ed4
                                        • Opcode Fuzzy Hash: b3c171414e0517c8a4a6ca08c81729a1004cdf41dcab997c79aaa7cbef565752
                                        • Instruction Fuzzy Hash: ED915831A20605EFDB15DFA4C985FAEB7B5FF48310F20822DE916A7291DB70AD15CB60

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 846 2c6766-2c6792 call 32fb10 EnterCriticalSection 849 2c67af-2c67b7 846->849 850 2c6794-2c6799 call 2cc7d7 846->850 852 2c67be-2c67c3 849->852 853 2c67b9 call 291f91 849->853 856 2c679e-2c67ac 850->856 854 2c67c9-2c67d5 852->854 855 2c6892-2c68a8 852->855 853->852 858 2c6817-2c682f 854->858 859 2c67d7-2c67dd 854->859 860 2c68ae-2c68b4 855->860 861 2c6941 855->861 856->849 864 2c6831-2c6842 call 291fa0 858->864 865 2c6873-2c687b 858->865 859->858 862 2c67df-2c67eb 859->862 860->861 863 2c68ba-2c68c2 860->863 866 2c6943-2c695a 861->866 869 2c67ed 862->869 870 2c67f3-2c6801 862->870 868 2c6933-2c693f call 2cc5cd 863->868 871 2c68c4-2c68e6 call 291fa0 fputs 863->871 864->865 883 2c6844-2c686c fputs call 292201 864->883 867 2c6881-2c6887 865->867 865->868 867->868 873 2c688d 867->873 868->866 869->870 870->865 875 2c6803-2c6815 fputs 870->875 885 2c68e8-2c68f9 fputs 871->885 886 2c68fb-2c6917 call 2a4f2a call 291fb3 call 291e40 871->886 879 2c692e call 291f91 873->879 881 2c686e call 291fa0 875->881 879->868 881->865 883->881 889 2c691c-2c6928 call 291fa0 885->889 886->889 889->879
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002C676B
                                        • EnterCriticalSection.KERNEL32(00352938), ref: 002C6781
                                        • fputs.MSVCRT ref: 002C680B
                                        • LeaveCriticalSection.KERNEL32(00352938), ref: 002C6944
                                          • Part of subcall function 002CC7D7: fputs.MSVCRT ref: 002CC840
                                        • fputs.MSVCRT ref: 002C6851
                                          • Part of subcall function 00292201: fputs.MSVCRT ref: 0029221E
                                        • fputs.MSVCRT ref: 002C68D9
                                        • fputs.MSVCRT ref: 002C68F6
                                          • Part of subcall function 00291FA0: fputc.MSVCRT ref: 00291FA7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                        • String ID: v$8)5$8)5$Sub items Errors:
                                        • API String ID: 2670240366-2653545583
                                        • Opcode ID: a3364b4ac595ab510a5224eede66038cf123537ed177b53a07f67320f85615fb
                                        • Instruction ID: 0bd94e63523f2e51e91ce385f7c02a3b0e4c9127e1ab920551ab09e6bf4c419f
                                        • Opcode Fuzzy Hash: a3364b4ac595ab510a5224eede66038cf123537ed177b53a07f67320f85615fb
                                        • Instruction Fuzzy Hash: 6551AE31920601CFCB259F64D898FEAB7E2FF84310F544A2EE59A97661DB306C68CF50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 898 2c6359-2c6373 call 32fb10 901 2c639e-2c63af call 2c5a4d 898->901 902 2c6375-2c6385 call 2cc7d7 898->902 907 2c65ee-2c65f1 901->907 908 2c63b5-2c63cd 901->908 902->901 909 2c6387-2c639b 902->909 912 2c6624-2c663c 907->912 913 2c65f3-2c65fb 907->913 910 2c63cf 908->910 911 2c63d2-2c63d4 908->911 909->901 910->911 916 2c63df-2c63e7 911->916 917 2c63d6-2c63d9 911->917 914 2c663e call 291f91 912->914 915 2c6643-2c664b 912->915 918 2c66ea call 2cc5cd 913->918 919 2c6601-2c6607 call 2c8012 913->919 914->915 915->918 922 2c6651-2c668f fputs call 29211a call 291fa0 call 2c8685 915->922 923 2c63e9-2c63f2 call 291fa0 916->923 924 2c6411-2c6413 916->924 917->916 921 2c64b1-2c64bc call 2c6700 917->921 930 2c66ef-2c66fd 918->930 933 2c660c-2c660e 919->933 944 2c64be-2c64c1 921->944 945 2c64c7-2c64cf 921->945 922->930 986 2c6691-2c6697 922->986 923->924 949 2c63f4-2c640c call 29210c call 291fa0 923->949 931 2c6415-2c641d 924->931 932 2c6442-2c6446 924->932 939 2c641f-2c6425 call 2c6134 931->939 940 2c642a-2c643b 931->940 935 2c6448-2c6450 932->935 936 2c6497-2c649f 932->936 933->930 941 2c6614-2c661f call 291fa0 933->941 946 2c647f-2c6490 935->946 947 2c6452-2c647a fputs call 291fa0 call 291fb3 call 291fa0 935->947 936->921 950 2c64a1-2c64ac call 291fa0 call 291f91 936->950 939->940 940->932 941->918 944->945 952 2c65a2-2c65a6 944->952 953 2c64f9-2c64fb 945->953 954 2c64d1-2c64da call 291fa0 945->954 946->936 947->946 949->924 950->921 959 2c65a8-2c65b6 952->959 960 2c65da-2c65e6 952->960 965 2c64fd-2c6505 953->965 966 2c652a-2c652e 953->966 954->953 983 2c64dc-2c64f4 call 29210c call 291fa0 954->983 968 2c65b8-2c65ca call 2c6244 959->968 969 2c65d3 959->969 960->908 974 2c65ec 960->974 977 2c6507-2c650d call 2c6134 965->977 978 2c6512-2c6523 965->978 970 2c657f-2c6587 966->970 971 2c6530-2c6538 966->971 968->969 995 2c65cc-2c65ce call 291f91 968->995 969->960 970->952 985 2c6589-2c6595 call 291fa0 970->985 981 2c653a-2c6562 fputs call 291fa0 call 291fb3 call 291fa0 971->981 982 2c6567-2c6578 971->982 974->907 977->978 978->966 981->982 982->970 983->953 985->952 1007 2c6597-2c659d call 291f91 985->1007 993 2c66df-2c66e5 call 291f91 986->993 994 2c6699-2c669f 986->994 993->918 1000 2c66a1-2c66b1 fputs 994->1000 1001 2c66b3-2c66ce call 2a4f2a call 291fb3 call 291e40 994->1001 995->969 1002 2c66d3-2c66da call 291fa0 1000->1002 1001->1002 1002->993 1007->952
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002C635E
                                        • fputs.MSVCRT ref: 002C645F
                                          • Part of subcall function 002CC7D7: fputs.MSVCRT ref: 002CC840
                                        • fputs.MSVCRT ref: 002C6547
                                        • fputs.MSVCRT ref: 002C665F
                                        • fputs.MSVCRT ref: 002C66AE
                                          • Part of subcall function 00291F91: fflush.MSVCRT ref: 00291F93
                                          • Part of subcall function 00291FB3: __EH_prolog.LIBCMT ref: 00291FB8
                                          • Part of subcall function 00291E40: free.MSVCRT ref: 00291E44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog$fflushfree
                                        • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                        • API String ID: 1750297421-1898165966
                                        • Opcode ID: 6c447e3d12063d3b73f85ea1b864e3fc266b28a0388f607b194e9e69515d3f41
                                        • Instruction ID: fe1eb5d9d29b47128a6e79ff1f4d0f9d3adca296508f2af290bb8b689e709173
                                        • Opcode Fuzzy Hash: 6c447e3d12063d3b73f85ea1b864e3fc266b28a0388f607b194e9e69515d3f41
                                        • Instruction Fuzzy Hash: F3B1AC306217068FDB28EF61C9A9FAAB7E1BF44304F14462DE55A576A2CB34AC64CF50

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1563 296c72-296c8e call 32fb10 1566 296c90-296c94 1563->1566 1567 296c96-296c9e 1563->1567 1566->1567 1568 296cd3-296cdc call 298664 1566->1568 1569 296ca0-296ca4 1567->1569 1570 296ca6-296cae 1567->1570 1576 296ce2-296d02 call 2967f0 call 292f88 call 2987df 1568->1576 1577 296d87-296d92 call 2988c6 1568->1577 1569->1568 1569->1570 1570->1568 1572 296cb0-296cb5 1570->1572 1572->1568 1574 296cb7-296cce call 2967f0 call 292f88 1572->1574 1589 29715d-29715f 1574->1589 1602 296d4a-296d61 call 297b41 1576->1602 1603 296d04-296d09 1576->1603 1584 296d98-296d9e 1577->1584 1585 296f4c-296f62 call 2987fa 1577->1585 1584->1585 1588 296da4-296dc7 call 292e47 * 2 1584->1588 1597 296f64-296f66 1585->1597 1598 296f67-296f74 call 2985e2 1585->1598 1610 296dc9-296dcf 1588->1610 1611 296dd4-296dda 1588->1611 1595 297118-297126 1589->1595 1597->1598 1612 296fd1-296fd8 1598->1612 1613 296f76-296f7c 1598->1613 1615 296d63-296d65 1602->1615 1616 296d67-296d6b 1602->1616 1603->1602 1607 296d0b-296d38 call 299252 1603->1607 1607->1602 1622 296d3a-296d45 1607->1622 1610->1611 1617 296ddc-296def call 292407 1611->1617 1618 296df1-296df9 call 293221 1611->1618 1619 296fda-296fde 1612->1619 1620 296fe4-296feb 1612->1620 1613->1612 1621 296f7e-296f8a call 296bf5 1613->1621 1623 296d7a-296d82 call 29764c 1615->1623 1624 296d78 1616->1624 1625 296d6d-296d75 1616->1625 1617->1618 1636 296dfe-296e0b call 2987df 1617->1636 1618->1636 1619->1620 1628 2970e5-2970ea call 296868 1619->1628 1629 29701d-297024 call 298782 1620->1629 1630 296fed-296ff7 call 296bf5 1620->1630 1621->1628 1639 296f90-296f93 1621->1639 1622->1589 1650 297116 1623->1650 1624->1623 1625->1624 1641 2970ef-2970f3 1628->1641 1629->1628 1647 29702a-297035 1629->1647 1630->1628 1645 296ffd-297000 1630->1645 1652 296e0d-296e10 1636->1652 1653 296e43-296e50 call 296c72 1636->1653 1639->1628 1646 296f99-296fb6 call 2967f0 call 292f88 1639->1646 1648 29710c 1641->1648 1649 2970f5-2970f7 1641->1649 1645->1628 1654 297006-29701b call 2967f0 1645->1654 1683 296fb8-296fbd 1646->1683 1684 296fc2-296fc5 call 29717b 1646->1684 1647->1628 1656 29703b-297044 call 298578 1647->1656 1658 29710e-297111 call 296848 1648->1658 1649->1648 1657 2970f9-297102 1649->1657 1650->1595 1659 296e1e-296e36 call 2967f0 1652->1659 1660 296e12-296e15 1652->1660 1678 296f3a-296f4b call 291e40 * 2 1653->1678 1679 296e56 1653->1679 1674 296fca-296fcc 1654->1674 1656->1628 1677 29704a-297054 call 29717b 1656->1677 1657->1648 1665 297104-297107 call 29717b 1657->1665 1658->1650 1681 296e58-296e7e call 292f1c call 292e04 1659->1681 1682 296e38-296e41 call 292fec 1659->1682 1660->1653 1667 296e17-296e1c 1660->1667 1665->1648 1667->1653 1667->1659 1674->1658 1693 297064-297097 call 292e47 call 291089 * 2 call 296868 1677->1693 1694 297056-29705f call 292f88 1677->1694 1678->1585 1679->1681 1701 296e83-296e99 call 296bb5 1681->1701 1682->1681 1683->1684 1684->1674 1725 297099-2970af wcscmp 1693->1725 1726 2970bf-2970cc call 296bf5 1693->1726 1703 297155-297158 call 296848 1694->1703 1709 296e9b-296e9f 1701->1709 1710 296ecf-296ed1 1701->1710 1703->1589 1712 296ea1-296eae call 2922bf 1709->1712 1713 296ec7-296ec9 SetLastError 1709->1713 1715 296f09-296f35 call 291e40 * 2 call 296848 call 291e40 * 2 1710->1715 1722 296eb0-296ec5 call 291e40 call 292e04 1712->1722 1723 296ed3-296ed9 1712->1723 1713->1710 1715->1650 1722->1701 1727 296edb-296ee0 1723->1727 1728 296eec-296f07 call 2931e5 1723->1728 1731 2970bb 1725->1731 1732 2970b1-2970b6 1725->1732 1740 297129-297133 call 2967f0 1726->1740 1741 2970ce-2970d1 1726->1741 1727->1728 1734 296ee2-296ee8 1727->1734 1728->1715 1731->1726 1738 297147-297154 call 292f88 call 291e40 1732->1738 1734->1728 1738->1703 1757 29713a 1740->1757 1758 297135-297138 1740->1758 1746 2970d8-2970e4 call 291e40 1741->1746 1747 2970d3-2970d6 1741->1747 1746->1628 1747->1740 1747->1746 1761 297141-297144 1757->1761 1758->1761 1761->1738
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 00296C77
                                        • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00296EC9
                                          • Part of subcall function 00296C72: wcscmp.MSVCRT ref: 002970A5
                                          • Part of subcall function 00296BF5: __EH_prolog.LIBCMT ref: 00296BFA
                                          • Part of subcall function 00296BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00296C1A
                                          • Part of subcall function 00296BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00296C49
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                        • String ID: :$DATA
                                        • API String ID: 3316598575-2587938151
                                        • Opcode ID: a8009eefa8ffb95d662219344b270a07f29c1f8e286da8d9a2f9945453f8cea5
                                        • Instruction ID: 5af4272fe0eadf189fcb29ff73491ef1191f8e8754ef6e811a0f6af87f8b56c2
                                        • Opcode Fuzzy Hash: a8009eefa8ffb95d662219344b270a07f29c1f8e286da8d9a2f9945453f8cea5
                                        • Instruction Fuzzy Hash: 24E1033093020ADBCF25EFA4C899BEEB7F1BF15314F104529E88A672D1DB706969CB11
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog
                                        • String ID: =
                                        • API String ID: 2614055831-2525689732
                                        • Opcode ID: 2ee84054e29619149678991aedad16e08f51cc12fbe78d85790a31da00286569
                                        • Instruction ID: 70836c3cbb9ecad86004e8b906565a8e35f0773bcf37b42f1d3fd2d34da13bdf
                                        • Opcode Fuzzy Hash: 2ee84054e29619149678991aedad16e08f51cc12fbe78d85790a31da00286569
                                        • Instruction Fuzzy Hash: BA218E32924119EBCF0AEB94D942BEDBBB5EF48310F20412AE401721A1DF712E64DF91
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002C8346
                                        • fputs.MSVCRT ref: 002C835B
                                        • fputs.MSVCRT ref: 002C8364
                                          • Part of subcall function 002C83BF: __EH_prolog.LIBCMT ref: 002C83C4
                                          • Part of subcall function 002C83BF: fputs.MSVCRT ref: 002C8401
                                          • Part of subcall function 002C83BF: fputs.MSVCRT ref: 002C8437
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs$H_prolog
                                        • String ID: =
                                        • API String ID: 2614055831-2525689732
                                        • Opcode ID: 60bbcecc45171ade18a63d51004fd51067de1358342f3a303646487e7d30ebe8
                                        • Instruction ID: b922c485c995a79e8ecd389c70cecea5ccbf086dfdc860ec80fa6d75a6b63f1e
                                        • Opcode Fuzzy Hash: 60bbcecc45171ade18a63d51004fd51067de1358342f3a303646487e7d30ebe8
                                        • Instruction Fuzzy Hash: 5601D631A20009EBCF16BBA5DC52BEEBB76EF84710F00801AF445621A1CF744A65DFD1
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002B209B
                                          • Part of subcall function 0029757D: GetLastError.KERNEL32(0029D14C), ref: 0029757D
                                          • Part of subcall function 002B2C6C: __EH_prolog.LIBCMT ref: 002B2C71
                                          • Part of subcall function 00291E40: free.MSVCRT ref: 00291E44
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ErrorLastfree
                                        • String ID: Cannot find archive file$The item is a directory
                                        • API String ID: 683690243-1569138187
                                        • Opcode ID: 976c668a73fc40b8feff1deb063ed0dad0667bd63c11d8c8a3870bec80d921cc
                                        • Instruction ID: 92f5a04f3895e310a45a0d9d5bdeb17e8c5a3c5e335411e87c61d218e2dc1353
                                        • Opcode Fuzzy Hash: 976c668a73fc40b8feff1deb063ed0dad0667bd63c11d8c8a3870bec80d921cc
                                        • Instruction Fuzzy Hash: 86724770D20259DFCF25DFA8C884BDDBBB5AF48340F24409AE859A7252CB709EA5CF51
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: CountTickfputs
                                        • String ID: .
                                        • API String ID: 290905099-4150638102
                                        • Opcode ID: fcc2c461ae9b3074b8e24e1efe122266541a74467a1fc77e3565723c8c8afab7
                                        • Instruction ID: 70a684ab52c2a06feb8ef869daa97642eb9eee372379ed587099649cfbe206b9
                                        • Opcode Fuzzy Hash: fcc2c461ae9b3074b8e24e1efe122266541a74467a1fc77e3565723c8c8afab7
                                        • Instruction Fuzzy Hash: 58713731620B05AFCB25EF64C591FAAB7F6BF81304F204A1DE09B97A41DB70B959CB11
                                        APIs
                                          • Part of subcall function 00299C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00299CB3
                                          • Part of subcall function 00299C8F: GetProcAddress.KERNEL32(00000000), ref: 00299CBA
                                          • Part of subcall function 00299C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00299CC8
                                        • __aulldiv.LIBCMT ref: 002D093F
                                        • __aulldiv.LIBCMT ref: 002D094B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                        • String ID: 3333
                                        • API String ID: 3520896023-2924271548
                                        • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                        • Instruction ID: ed6b89e710392d585096432aaf3051411c6a871b0dab91d0c2cd5312046140bd
                                        • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                        • Instruction Fuzzy Hash: 0621A6B19107046EE7309F6A9881B5FFAF9EB88B10F00893FA186D7351D670AD408B65
                                        APIs
                                          • Part of subcall function 00291E40: free.MSVCRT ref: 00291E44
                                        • memset.MSVCRT ref: 002BAEBA
                                        • memset.MSVCRT ref: 002BAECD
                                          • Part of subcall function 002D04D2: _CxxThrowException.MSVCRT(?,00344A58), ref: 002D04F8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: memset$ExceptionThrowfree
                                        • String ID: Split
                                        • API String ID: 1404239998-1882502421
                                        • Opcode ID: 0e72908e45fda75a9396a6c75edea10540045cfa1d728fd7a59e50266e564482
                                        • Instruction ID: b2dd62fad806dfb128df4bf1315d75646cc92ff9c52a452f2a70d7aa1ea774f5
                                        • Opcode Fuzzy Hash: 0e72908e45fda75a9396a6c75edea10540045cfa1d728fd7a59e50266e564482
                                        • Instruction Fuzzy Hash: 91427E30A2024ADFDF25DFA4C884BEDBBB5BF19344F144099E449A7251CB71AEA5CF12
                                        APIs
                                        • fputs.MSVCRT ref: 002C8437
                                        • fputs.MSVCRT ref: 002C8401
                                          • Part of subcall function 00291FB3: __EH_prolog.LIBCMT ref: 00291FB8
                                        • __EH_prolog.LIBCMT ref: 002C83C4
                                          • Part of subcall function 00291FA0: fputc.MSVCRT ref: 00291FA7
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologfputs$fputc
                                        • String ID:
                                        • API String ID: 678540050-0
                                        • Opcode ID: 340352cecd6d9c93805f4c20b200bd6aa9e8c21bfe77c88531e0f38bd76f22d3
                                        • Instruction ID: cf636ebf43f677ca570153ada73892ed2b1f4a6bd273a2b34cdae050dd57e20b
                                        • Opcode Fuzzy Hash: 340352cecd6d9c93805f4c20b200bd6aa9e8c21bfe77c88531e0f38bd76f22d3
                                        • Instruction Fuzzy Hash: 6411C631F2421A9BCF0AB7A1D813AAEBB76DF44750F00002EF506A36E1DF6519358ED4
                                        APIs
                                        • fputs.MSVCRT ref: 002CC840
                                          • Part of subcall function 002925CB: _CxxThrowException.MSVCRT(?,00344A58), ref: 002925ED
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrowfputs
                                        • String ID:
                                        • API String ID: 1334390793-399585960
                                        • Opcode ID: 13f604c825e223a4949ab503a3b9e759e216c345ea2fd0c441f9ef5c84289e1f
                                        • Instruction ID: 9ecbb7592224cac096c071758385743e251fd7b969c66ae23844f41be599a02d
                                        • Opcode Fuzzy Hash: 13f604c825e223a4949ab503a3b9e759e216c345ea2fd0c441f9ef5c84289e1f
                                        • Instruction Fuzzy Hash: E8110171614704AFDB26CF58C8C1BAAFBE6EF49304F14456EE18A8B250C7B1BC14CB60
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID: Open
                                        • API String ID: 1795875747-71445658
                                        • Opcode ID: 62fb844f8da52f97474c366497581702160f16a4de80ad6df62a4f86d742aac1
                                        • Instruction ID: 43d9f087bcd52e4dd391589eac7ef64e61a7df4ae60e395b5ece845770c14bac
                                        • Opcode Fuzzy Hash: 62fb844f8da52f97474c366497581702160f16a4de80ad6df62a4f86d742aac1
                                        • Instruction Fuzzy Hash: EA119A32511704DFCB21EF74E895ADABBA5EF14310F548A2EE19A83262DA71A824CF50
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002E06B3
                                        • _CxxThrowException.MSVCRT(?,0034D480), ref: 002E08F2
                                          • Part of subcall function 00291E0C: malloc.MSVCRT ref: 00291E1F
                                          • Part of subcall function 00291E0C: _CxxThrowException.MSVCRT(?,00344B28), ref: 00291E39
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: ExceptionThrow$H_prologmalloc
                                        • String ID:
                                        • API String ID: 3044594480-0
                                        • Opcode ID: 1e546f3e13f3fe002659417ecc7d6d6ece8651b9bb93b48177d66687af39a269
                                        • Instruction ID: fd57bf4ca499b28e33b0409bb75ab61f043b0cac74b8e6d2750f749092e2e002
                                        • Opcode Fuzzy Hash: 1e546f3e13f3fe002659417ecc7d6d6ece8651b9bb93b48177d66687af39a269
                                        • Instruction Fuzzy Hash: 7D918070D10249DFCF21DFA9C881AEEBBB5BF08304F544099E449A7252CB70AEA5CF61
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 0cebc6cc3ddb86b94e713195a465166c21f284d673b7be28ed9870202e2389dd
                                        • Instruction ID: 306b1d46d1c8ee103ef2bfdc555a9e071d503bfe14893070b89e6670e6235d54
                                        • Opcode Fuzzy Hash: 0cebc6cc3ddb86b94e713195a465166c21f284d673b7be28ed9870202e2389dd
                                        • Instruction Fuzzy Hash: 61F1C070924786CFCF31CF64C498AAABBF1BF16304F58486ED49A9B211DB31AD64CB51
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002A4255
                                          • Part of subcall function 002A440B: __EH_prolog.LIBCMT ref: 002A4410
                                          • Part of subcall function 00291E0C: malloc.MSVCRT ref: 00291E1F
                                          • Part of subcall function 00291E0C: _CxxThrowException.MSVCRT(?,00344B28), ref: 00291E39
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 3744649731-0
                                        • Opcode ID: ed3ff6a0d35327bc9ef8b69f5475fea383c11a99b88a176fbd535e7a0cb85a8f
                                        • Instruction ID: 852572e484729e9f1fc18c235858895c7f7ef4f3bedfa3e04082e77499ad3330
                                        • Opcode Fuzzy Hash: ed3ff6a0d35327bc9ef8b69f5475fea383c11a99b88a176fbd535e7a0cb85a8f
                                        • Instruction Fuzzy Hash: 945107B4401744CFC726DF69C18569AFBF0BF19304F9488AED4AA97752D7B0A608CF61
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: 0c22687d4a93d75d17917fa37c737370657a9c56e6b09441af9a0a3c21099d16
                                        • Instruction ID: b79a1d7d6edbe73b6f233a4ea7bdb0579a2c4fca3b61842f65e3273671c9a17c
                                        • Opcode Fuzzy Hash: 0c22687d4a93d75d17917fa37c737370657a9c56e6b09441af9a0a3c21099d16
                                        • Instruction Fuzzy Hash: A931FA70D10219DFCB15EF95C8918EFBBB9FF943A4B10815EE51A67251D7309921CFA0
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002B021F
                                          • Part of subcall function 002A3D66: __EH_prolog.LIBCMT ref: 002A3D6B
                                          • Part of subcall function 002A3D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 002A3D7D
                                          • Part of subcall function 002A3D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 002A3D94
                                          • Part of subcall function 002A3D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 002A3DB6
                                          • Part of subcall function 002A3D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 002A3DCB
                                          • Part of subcall function 002A3D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 002A3DD5
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                        • String ID:
                                        • API String ID: 1532160333-0
                                        • Opcode ID: 6a5beb7e9497fa48aa8fb11f1a4f1c36ee146b17566b8b607673c424dad2dfba
                                        • Instruction ID: f1fe1d8cfd4d8315a9cf549711eba46a322503a8cefc751dbbaeb883f905874f
                                        • Opcode Fuzzy Hash: 6a5beb7e9497fa48aa8fb11f1a4f1c36ee146b17566b8b607673c424dad2dfba
                                        • Instruction Fuzzy Hash: FD214AB1946B90CFC331CF6A86D1686FFF4BB29600B94996ED0DA83B12C770A508CF55
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002CC0B8
                                          • Part of subcall function 002B7193: __EH_prolog.LIBCMT ref: 002B7198
                                          • Part of subcall function 00291E40: free.MSVCRT ref: 00291E44
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: 85d72bc2be303c250def5b2a36b277ac8c5412e7b062057d6318b2f46d55488a
                                        • Instruction ID: 00f673785008907f27701f38f4c042317c56590f8869df8c643991207aec74fc
                                        • Opcode Fuzzy Hash: 85d72bc2be303c250def5b2a36b277ac8c5412e7b062057d6318b2f46d55488a
                                        • Instruction Fuzzy Hash: B2F0E072930716DBD7265F49D851BAEF3A9EF54750F20012FE40597651CBB1DC308A50
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002D0364
                                          • Part of subcall function 002D01C4: __EH_prolog.LIBCMT ref: 002D01C9
                                          • Part of subcall function 002D0143: __EH_prolog.LIBCMT ref: 002D0148
                                          • Part of subcall function 00291E40: free.MSVCRT ref: 00291E44
                                          • Part of subcall function 002D03D8: __EH_prolog.LIBCMT ref: 002D03DD
                                          • Part of subcall function 002D004A: __EH_prolog.LIBCMT ref: 002D004F
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$free
                                        • String ID:
                                        • API String ID: 2654054672-0
                                        • Opcode ID: a4026133a7bcf9b91e2bc86d2c1f19d93b7074b2234d7bead92d7faba80b0a6b
                                        • Instruction ID: 558dc228361d0f6bb2318c992a9b1203cb6b877c88fc851b28af98d1f693772e
                                        • Opcode Fuzzy Hash: a4026133a7bcf9b91e2bc86d2c1f19d93b7074b2234d7bead92d7faba80b0a6b
                                        • Instruction Fuzzy Hash: 8CF0F930924A50DFCB1AFF68D46239DBBE4AF04314F10459DE456632E2CBB49F148B44
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog
                                        • String ID:
                                        • API String ID: 3519838083-0
                                        • Opcode ID: af7ddf7057ce39bc2bc4c33080e37554ffb66f660fba299604eb8830a919c177
                                        • Instruction ID: 32168fd2f728eefe5629048eb13176456da7954f499b0e7b1f997f637d632b71
                                        • Opcode Fuzzy Hash: af7ddf7057ce39bc2bc4c33080e37554ffb66f660fba299604eb8830a919c177
                                        • Instruction Fuzzy Hash: 80F04F72E2111AABCB14EF98D840DEFBB75FF44B90B10816EF416E7251CB749A15CB90
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID:
                                        • API String ID: 1795875747-0
                                        • Opcode ID: 2c6347cbe1beb83617827959a53d2a84e4de598c968ca5ea898885808886c388
                                        • Instruction ID: b498e3c37578f2bdde477a8a61bd283595877c5a6e82d0e62a927b1de1af62e7
                                        • Opcode Fuzzy Hash: 2c6347cbe1beb83617827959a53d2a84e4de598c968ca5ea898885808886c388
                                        • Instruction Fuzzy Hash: 52D01232504119ABDF156B94DC45CDD7BBCFF08314B00442AF541F2160EA75E5249B94
                                        APIs
                                        • __EH_prolog.LIBCMT ref: 002E80AF
                                          • Part of subcall function 00291E0C: malloc.MSVCRT ref: 00291E1F
                                          • Part of subcall function 00291E0C: _CxxThrowException.MSVCRT(?,00344B28), ref: 00291E39
                                          • Part of subcall function 002DBDB5: __EH_prolog.LIBCMT ref: 002DBDBA
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: H_prolog$ExceptionThrowmalloc
                                        • String ID:
                                        • API String ID: 3744649731-0
                                        • Opcode ID: 4e1374c640d7c4af0654448dfcd2c508cb9d634e16ab5d569ef823c22975a9a8
                                        • Instruction ID: efb0a59a0e0718bfb11484d9d553c85beeca0ce33f89e960ed71f70551e743c1
                                        • Opcode Fuzzy Hash: 4e1374c640d7c4af0654448dfcd2c508cb9d634e16ab5d569ef823c22975a9a8
                                        • Instruction Fuzzy Hash: 95D05E71B15102AFCF09FFB4A42276F72B1AB44700F00457EA416E7781EF7089108A14
                                        APIs
                                        • FindClose.KERNELBASE(00000000,?,00296880), ref: 00296853
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: CloseFind
                                        • String ID:
                                        • API String ID: 1863332320-0
                                        • Opcode ID: 6291f64c08d507ed57e68c76ec3a2f2cb8ff4e8e1dee38d22fc49706134e435e
                                        • Instruction ID: 0bdda6920d479ec6355c8252b79b331f12080d7c44e875e4c19a5c643b1e2cb9
                                        • Opcode Fuzzy Hash: 6291f64c08d507ed57e68c76ec3a2f2cb8ff4e8e1dee38d22fc49706134e435e
                                        • Instruction Fuzzy Hash: F2D01231524222468E645E3D78489C533D87E063343211759F0B0D31E1D7608CD75750
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: fputs
                                        • String ID:
                                        • API String ID: 1795875747-0
                                        • Opcode ID: f91cd4768df36fa4262a39fcf2bf488099294da63d68919be5c38a880b3500e4
                                        • Instruction ID: 96fab5eb79ae6e357db65b817f1af823f6c40392e9b816b4a6dadc59c83e7c3d
                                        • Opcode Fuzzy Hash: f91cd4768df36fa4262a39fcf2bf488099294da63d68919be5c38a880b3500e4
                                        • Instruction Fuzzy Hash: 6BD0C73601C251AF96155F15EC05C87BBA5FFD5320B11081FF440521705B625825DA60
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: memmove
                                        • String ID:
                                        • API String ID: 2162964266-0
                                        • Opcode ID: a5d02bc8aa2bdd8573d1031790e291183f3342452d8dd8807a2a69ca6549eadf
                                        • Instruction ID: b5c473c8137240abc3db0b9ec933301200945f42c81a4aca65907f8cf60d4d5e
                                        • Opcode Fuzzy Hash: a5d02bc8aa2bdd8573d1031790e291183f3342452d8dd8807a2a69ca6549eadf
                                        • Instruction Fuzzy Hash: 59815D71E2424A9FCF14CFA8C584AEEBBB9EF88314F24846ED515B7241D771AA90CF50
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                        • Instruction ID: f9a55f124141629df9ec817636a2ea59d2c8f0d9b77ff52d4974948bf09c5bfe
                                        • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                        • Instruction Fuzzy Hash: ACD022B121320106CF4E4AB24C0BBAB30942F5430AF28C5BCEC13CF281FB18C2588248
                                        APIs
                                        • VirtualAlloc.KERNELBASE(00000000), ref: 00316B31
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 54113dfae2dd78216d56f73716d2cab3009b9ab38d8c966928b5c1bd301facbd
                                        • Instruction ID: 30fcfcad51b159ea31c007360604392642c450e540ea917eb1e4d7dd958e544a
                                        • Opcode Fuzzy Hash: 54113dfae2dd78216d56f73716d2cab3009b9ab38d8c966928b5c1bd301facbd
                                        • Instruction Fuzzy Hash: 98C08CE1A4D280DFDF0613108C807603B208B83300F0A10C1E4046B093C2041808C722
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                        • Instruction ID: 5025a357f0fa3740407d7436b504bc383850add56f14c66ba80f67a81cd82774
                                        • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                        • Instruction Fuzzy Hash: 67A024D55110D003DD1F11303C1347F100013707077C005FCF401C4107F715C1041005
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: malloc
                                        • String ID:
                                        • API String ID: 2803490479-0
                                        • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                        • Instruction ID: b4d1ed59dd25c346f258726a7d993500a7213b1787f8159f469a8ccee77d0c18
                                        • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                        • Instruction Fuzzy Hash: 8EA012CCE00000019D0A1034381246714262AF0A057D4C4B4A40084109FA14C0042002
                                        APIs
                                        • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00316BAC
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: FreeVirtual
                                        • String ID:
                                        • API String ID: 1263568516-0
                                        • Opcode ID: d31f9547a63d9f3557cdcb97e793dd5a9cac60b1b3260ac2afc5d9be072f4d42
                                        • Instruction ID: 20a5dc83075987be6041e4c5fb3118a271c35f938941c2d7c86a2caf8e3d37c9
                                        • Opcode Fuzzy Hash: d31f9547a63d9f3557cdcb97e793dd5a9cac60b1b3260ac2afc5d9be072f4d42
                                        • Instruction Fuzzy Hash: A7A002B8694740B7ED6567306E8FF5937287780F05F3095447241790D15AE4B0449B5C
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                        • Instruction ID: 0c04d82d941b53f5282fe784d61ac5f71830bb37ed2b22ce231900d2f3376214
                                        • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                        • Instruction Fuzzy Hash:
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1821608500.0000000000291000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00290000, based on PE: true
                                        • Associated: 0000000A.00000002.1821592990.0000000000290000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821664276.000000000033C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821684619.0000000000352000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                        • Associated: 0000000A.00000002.1821700714.000000000035B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_290000_7zr.jbxd
                                        Similarity
                                        • API ID: free
                                        • String ID:
                                        • API String ID: 1294909896-0
                                        • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                        • Instruction ID: 004513f4590851fc6422871dded9cc466c7133381170b7035407469efa68673f
                                        • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                        • Instruction Fuzzy Hash: