Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.2.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
renamed because original name is a hash value
Original sample name:1.0.2.exe
Analysis ID:1580228
MD5:315719354db8520278ae3d022b90da14
SHA1:46a92e47bdea70bef469eca470bb3b280f0fcd06
SHA256:e9d2969683bcc59dee33d048904b3bfb7af7b140ce360a326bb5bb9b3ef3b57e
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b1.0.2.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" MD5: 315719354DB8520278AE3D022B90DA14)
    • #U5b89#U88c5#U52a9#U624b1.0.2.tmp (PID: 7324 cmdline: "C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" MD5: FFE4B45A6AE66BCB0FA01197725E2E27)
      • powershell.exe (PID: 7340 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7988 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b1.0.2.exe (PID: 7424 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT MD5: 315719354DB8520278AE3D022B90DA14)
        • #U5b89#U88c5#U52a9#U624b1.0.2.tmp (PID: 7504 cmdline: "C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$10488,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT MD5: FFE4B45A6AE66BCB0FA01197725E2E27)
          • 7zr.exe (PID: 7620 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7716 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7588 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7604 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7796 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7812 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7824 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7844 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7928 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7944 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8008 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8044 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8104 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8176 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 560 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 792 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1136 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6264 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7356 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7412 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7616 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7676 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6840 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6744 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7740 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7752 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7880 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7896 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7932 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7968 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7456 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4900 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1612 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7204 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6264 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7484 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7604 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7736 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7784 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7756 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6744 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7900 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7948 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 7324, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7340, ProcessName: powershell.exe
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7588, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7604, ProcessName: sc.exe
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 7324, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7340, ProcessName: powershell.exe
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7588, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7604, ProcessName: sc.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 7324, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7340, ProcessName: powershell.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 15%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vacVirustotal: Detection: 15%Perma Link
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeVirustotal: Detection: 6%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.4% probability
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1742828875.0000000003420000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1742694432.0000000003220000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7AAEC0 FindFirstFileA,FindClose,5_2_6C7AAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B86868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00B86868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B87496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00B87496
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689106529.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689779279.000000007F44B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1691453628.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000000.1711906120.00000000005BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689106529.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689779279.000000007F44B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1691453628.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000000.1711906120.00000000005BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C633886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633886
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7B5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,5_2_6C7B5120
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C633C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633C62
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C633D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633D62
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7B5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C7B5D60
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C633D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633D18
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C6339CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C6339CF
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C633A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C633A6A
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C631950: CreateFileA,DeviceIoControl,CloseHandle,5_2_6C631950
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C634754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,5_2_6C634754
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C6347545_2_6C634754
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C644A275_2_6C644A27
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7B18805_2_6C7B1880
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7B6A435_2_6C7B6A43
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C816CE05_2_6C816CE0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C863D505_2_6C863D50
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C869E805_2_6C869E80
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C802EC95_2_6C802EC9
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7E8EA15_2_6C7E8EA1
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C85E8105_2_6C85E810
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7E89725_2_6C7E8972
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C8699F05_2_6C8699F0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C87A9305_2_6C87A930
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C861AA05_2_6C861AA0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C874AA05_2_6C874AA0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C85DAD05_2_6C85DAD0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C85FA505_2_6C85FA50
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7F0BCA5_2_6C7F0BCA
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C800B665_2_6C800B66
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C80540A5_2_6C80540A
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C8625805_2_6C862580
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C86F5C05_2_6C86F5C0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C8696E05_2_6C8696E0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C8897005_2_6C889700
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7EC7CF5_2_6C7EC7CF
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C8600205_2_6C860020
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C8737505_2_6C873750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BC81EC9_2_00BC81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B9E00A9_2_00B9E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C081C09_2_00C081C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C022E09_2_00C022E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C182409_2_00C18240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1C3C09_2_00C1C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C223009_2_00C22300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C104C89_2_00C104C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BEE49F9_2_00BEE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C025F09_2_00C025F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BFA6A09_2_00BFA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BF66D09_2_00BF66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BF86509_2_00BF8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1E9909_2_00C1E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BFC9509_2_00BFC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BD09439_2_00BD0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C02A809_2_00C02A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BDAB119_2_00BDAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C06CE09_2_00C06CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BF8C209_2_00BF8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C14EA09_2_00C14EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C10E009_2_00C10E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BE10AC9_2_00BE10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C0D0899_2_00C0D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C191C09_2_00C191C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BFB1809_2_00BFB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C051809_2_00C05180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BFD1D09_2_00BFD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BEB1219_2_00BEB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C111209_2_00C11120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1D2C09_2_00C1D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C172009_2_00C17200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1F3C09_2_00C1F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BE53F39_2_00BE53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BAB3E49_2_00BAB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C0F3A09_2_00C0F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B853CF9_2_00B853CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C154D09_2_00C154D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BCD4969_2_00BCD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BF74109_2_00BF7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1D4709_2_00C1D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C0F4209_2_00C0F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1F5999_2_00C1F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C115509_2_00C11550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BFF5009_2_00BFF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B815729_2_00B81572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C2351A9_2_00C2351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C135309_2_00C13530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C0D6A09_2_00C0D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C236019_2_00C23601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BD96529_2_00BD9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C177C09_2_00C177C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B897CA9_2_00B897CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B997669_2_00B99766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BAF8E09_2_00BAF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1D9E09_2_00C1D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BFF9109_2_00BFF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B81AA19_2_00B81AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C07AF09_2_00C07AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BD3AEF9_2_00BD3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B9BAC99_2_00B9BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B9BC929_2_00B9BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C07C509_2_00C07C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00BFFDF09_2_00BFFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C05E809_2_00C05E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C05F809_2_00C05F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00C1FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B828E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00B81E40 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: String function: 6C886F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: String function: 6C7E9240 appears 31 times
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689779279.000000007F74A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689106529.0000000002E0E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000000.1687448966.0000000000DA9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeBinary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.11.drBinary string: \Device\TfSysMon
Source: tProtect.dll.11.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal92.evad.winEXE@147/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7B5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C7B5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B89313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00B89313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B93D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00B93D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B89252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00B89252
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7B5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,5_2_6C7B5240
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\is-S9CBO.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1740:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-QO799.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeVirustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$10488,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$10488,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic file information: File size 5986125 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1742828875.0000000003420000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1742694432.0000000003220000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_00C057D0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: real checksum: 0x0 should be: 0x5bdd3b
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a0e
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.5.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x343a0e
Source: tProtect.dll.11.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.drStatic PE information: section name: .didata
Source: 7zr.exe.5.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.5.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.5.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.5.drStatic PE information: section name: .8Tk
Source: update.vac.5.drStatic PE information: section name: .00cfg
Source: update.vac.5.drStatic PE information: section name: .voltbl
Source: update.vac.5.drStatic PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7B86EB push ecx; ret 5_2_6C7B86FE
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C660F00 push ss; retn 0001h5_2_6C660F0A
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C886F10 push eax; ret 5_2_6C886F2E
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7EB9F4 push 004AC35Ch; ret 5_2_6C7EBA0E
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C887290 push eax; ret 5_2_6C8872BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B845F4 push 00C2C35Ch; ret 9_2_00B8460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1FB10 push eax; ret 9_2_00C1FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C1FE90 push eax; ret 9_2_00C1FEBE
Source: update.vac.1.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.5.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.5.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vacJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5785Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3898Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 673Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 637Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 577Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep count: 5785 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep count: 3898 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep time: -8301034833169293s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7AAEC0 FindFirstFileA,FindClose,5_2_6C7AAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B86868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00B86868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B87496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00B87496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B89C60 GetSystemInfo,9_2_00B89C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C633886 NtSetInformationThread 00000000,00000011,00000000,000000005_2_6C633886
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7C0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C7C0181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_00C057D0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7C9D66 mov eax, dword ptr fs:[00000030h]5_2_6C7C9D66
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7C9D35 mov eax, dword ptr fs:[00000030h]5_2_6C7C9D35
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7BF17D mov eax, dword ptr fs:[00000030h]5_2_6C7BF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7B8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6C7B8CBD
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C7C0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C7C0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: tProtect.dll.11.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 5_2_6C887700 cpuid 5_2_6C887700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00B8AB2A GetSystemTimeAsFileTime,9_2_00B8AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00C20090 GetVersion,9_2_00C20090
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Access Token Manipulation
11
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Windows Service
1
Disable or Modify Tools
LSASS Memory42
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)111
Process Injection
231
Virtualization/Sandbox Evasion
Security Account Manager231
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Access Token Manipulation
NTDS2
Process Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information
Cached Domain Credentials2
System Owner/User Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information
DCSync3
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing
Proc Filesystem25
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580228 Sample: #U5b89#U88c5#U52a9#U624b1.0.2.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 92 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 2 other signatures 2->96 10 #U5b89#U88c5#U52a9#U624b1.0.2.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 32 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U52a9#U624b1.0.2.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 28 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U52a9#U624b1.0.2.exe 2 19->35         started        38 powershell.exe 22 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 27 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U52a9#U624b1.0.2.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b1.0.2.exe7%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b1.0.2.exe0%ReversingLabs
SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc15%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vac15%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\_isetup\_setup64.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b1.0.2.exefalse
    high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689106529.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689779279.000000007F44B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1691453628.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000000.1711906120.00000000005BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drfalse
      high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689106529.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689779279.000000007F44B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1691453628.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000000.1711906120.00000000005BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drfalse
        high
        No contacted IP infos
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580228
        Start date and time:2024-12-24 04:51:06 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 8m 49s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:112
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
        renamed because original name is a hash value
        Original Sample Name:1.0.2.exe
        Detection:MAL
        Classification:mal92.evad.winEXE@147/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 68
        • Number of non-executed functions: 75
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): Conhost.exe
        • Excluded IPs from analysis (whitelisted): 4.175.87.197
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        TimeTypeDescription
        22:51:59API Interceptor1x Sleep call for process: #U5b89#U88c5#U52a9#U624b1.0.2.tmp modified
        22:52:01API Interceptor24x Sleep call for process: powershell.exe modified
        No context
        No context
        No context
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.5.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.4.exeGet hashmaliciousUnknownBrowse
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1298992
                            Entropy (8bit):7.999859712098508
                            Encrypted:true
                            SSDEEP:24576:Jm7V4SAXqwNu//CopofXJGkYYguHpFGnJ3jm7biUd163/etGJir:CFAXY3CwofZYAnGnJfW163/eP
                            MD5:6FFA62F827FB9CCD24B82A7B93CD0B92
                            SHA1:26BD8C8B9703ED628D5BFFC7F4F05C0434DDD192
                            SHA-256:3CF4EA11F2EE6642695B5D7F5373ECCFB381A4FE7DC79F796342BF214BBB7FE7
                            SHA-512:C32F17A21A0AFB4ABA501C3D0DAC3DD31610195C4B0CE96B16B0EE579EB9A1768BCE8B6D725AC06A0CBE21A1C4DA22D0FC37AEEE094CAAFF857D0A77C3C578E8
                            Malicious:false
                            Preview:.@S....Xt. ,-.................T.Y....Z#...R....h.x..ch...2..z#..f.......j..].<2Y...[G.. .........|Wo...h8V.N..0=`....K.hRw_..3....}"%.f.....%......w5..LxVd...i...6.D.8.p.{..M.|.:Z'j.1.T.;.:!.3.(".qJ.......vm.8.<....G.O.p,,.lE.w...0D.......\..T..6...M?k.."..}....).4..#....hMT.F..&...)h.y.......*.X0..f%......)..z.j..jO\..4...~.C../......"h...q......E!.........B..I)..c..............Nu....4J.....).f...x.VYL ...%.......?sznR.5..eiM.N<".L...#Wi..Qs...V/.p.v...g.....:..,.mZ....xL:.I5eHV-.N....).R~...\c....{..#k.n~Y.................#{............;.I....i.p...a..\n..z=....J.?...".%...F.;.o.2.Z./.Xn..9.......9......r......`q.f.....vt.*....2....cP{..^...Wr.].8.Y..b..iui.=w.;iC.b.~./Ad3lD....R.[Y...o.M......>X.....I....2,.1...tVhB......H#ek.R.._-|...}.~.`(..#5.....=.QS...:..m.hk,W.M.!..p.t....B..`7..<}..;.4.g.A.r...:.F..&.!..LN...oyn~..0.,.o0......x.'..^}.~:X.+.G.;.L.....<.........8.\.(...../.Su.....L(..3\&.:.....po6P5.w.9..5.=....T..ck.wU.e.d..
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Antivirus:
                            • Antivirus: Virustotal, Detection: 15%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1048934
                            Entropy (8bit):7.999810584659191
                            Encrypted:true
                            SSDEEP:24576:zzo7JKPe56MvMbFP0ERf6gc0mgl2Cz8fyDPPK+tNTbotfxeeW:zzo1KPepUP/f6Z0NlZsyjy+tZb4AeW
                            MD5:D6E21035CF34180A78FD0609ACFA9285
                            SHA1:721C65391A0C2E18987202864D1CB08F9545AA3D
                            SHA-256:D1B45E42ABAEB7560E8E186277974790F97E141CAFCC3FF920460E542F9CD1AF
                            SHA-512:566E9571B984CDBF2BC9E51101894BB0BF61E857C03D90888AB9EAF93B3BDB7368F274D21893281A4603FE6390CA66EE201E022D25DADBA804D3523DFDE69D6C
                            Malicious:false
                            Preview:.hi..2...%....H.k...J.o,ET$+V..<..p.O.c._...R.?R.zmf."<...U....Fh....g......,....4-....*-.........qC...r..%..4...{...h..gm\"..er.T....H.l{=.<l...}...e....u.wT..bf....$...Z......j#..?...7..k..m#..3..A*.....<9T.n...I...YY..2l..)O..r.+.f.G...y......"K..c.7ug..].........d&.$.....u.............V..c.J>U.@..>2....5i...f.RcVP.:..........~.......q)t....P.V.l.h2.E..;.qE3p.6.....dn..4...o.q...........p....&.H.. .Z~..K......T.|.c*Q.5.tfStC........~..AX.J,.....i.T)lY..S.z..sL._........].......evYr...M.[v..6+.r.. H.m.k4...x*w..X....Q.n~.......+y../z5..'.._$.{<&.dZu.z?SHeIn~V..m.....4.v.,Z.5.}..^.D/h..6.R.-8.q.O.d...a....h..B......(..Dm`*.).xCW.".......V.D.db......Y.7..r..6.*.0;$....4......[.`..8.b.....wb.H1...S....c...f/......j..NX..h1.....R.O.dm.P..g..)..KT.....x.y...H.|...1..k%...v.S...u,.6.bn~...^.....AS[..u...q.Q.G4x.KB..q....&.$...o.H.i.MoX.w.*..*..........K....@..SF.*[...u..H...{?.Z.x>.u.......&3.?......s...Px9.._;..-U....4.F...d*.%T..e..
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1298992
                            Entropy (8bit):7.999859712098508
                            Encrypted:true
                            SSDEEP:24576:Jm7V4SAXqwNu//CopofXJGkYYguHpFGnJ3jm7biUd163/etGJir:CFAXY3CwofZYAnGnJfW163/eP
                            MD5:6FFA62F827FB9CCD24B82A7B93CD0B92
                            SHA1:26BD8C8B9703ED628D5BFFC7F4F05C0434DDD192
                            SHA-256:3CF4EA11F2EE6642695B5D7F5373ECCFB381A4FE7DC79F796342BF214BBB7FE7
                            SHA-512:C32F17A21A0AFB4ABA501C3D0DAC3DD31610195C4B0CE96B16B0EE579EB9A1768BCE8B6D725AC06A0CBE21A1C4DA22D0FC37AEEE094CAAFF857D0A77C3C578E8
                            Malicious:false
                            Preview:.@S....Xt. ,-.................T.Y....Z#...R....h.x..ch...2..z#..f.......j..].<2Y...[G.. .........|Wo...h8V.N..0=`....K.hRw_..3....}"%.f.....%......w5..LxVd...i...6.D.8.p.{..M.|.:Z'j.1.T.;.:!.3.(".qJ.......vm.8.<....G.O.p,,.lE.w...0D.......\..T..6...M?k.."..}....).4..#....hMT.F..&...)h.y.......*.X0..f%......)..z.j..jO\..4...~.C../......"h...q......E!.........B..I)..c..............Nu....4J.....).f...x.VYL ...%.......?sznR.5..eiM.N<".L...#Wi..Qs...V/.p.v...g.....:..,.mZ....xL:.I5eHV-.N....).R~...\c....{..#k.n~Y.................#{............;.I....i.p...a..\n..z=....J.?...".%...F.;.o.2.Z./.Xn..9.......9......r......`q.f.....vt.*....2....cP{..^...Wr.].8.Y..b..iui.=w.;iC.b.~./Ad3lD....R.[Y...o.M......>X.....I....2,.1...tVhB......H#ek.R.._-|...}.~.`(..#5.....=.QS...:..m.hk,W.M.!..p.t....B..`7..<}..;.4.g.A.r...:.F..&.!..LN...oyn~..0.,.o0......x.'..^}.~:X.+.G.;.L.....<.........8.\.(...../.Su.....L(..3\&.:.....po6P5.w.9..5.=....T..ck.wU.e.d..
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.996546775800433
                            Encrypted:true
                            SSDEEP:1536:7DuRHPS0dk/fZO6X5QmoeCyxK0cpwjK5AOWB7xQFFiZNrkM:Uq7fHac0TpwXOQRB
                            MD5:21BFB225D2E39810D9EE735B3060E744
                            SHA1:7D199DF76261C313FDF7AC01337E6A1408AA8512
                            SHA-256:501CD7704495EA6DE9D1954D57B3AE8A64113D74DB6987989846B932EBA7777A
                            SHA-512:CEFCF390A30478EB458B40D3452B1C7113CD2639F25BC2DC5810213AE9A40EAA7476AEA59A929FFF76CF413EC9D6E74B061F8D25182EAE50BBD098AE81C29EAE
                            Malicious:false
                            Preview:.@S.......t| ..............[i.0..W...l.w...BCD.....k...%......F-.f.D.2VW..f..a$..E.B..Q.WD'..S..m.oX.`y-(/.=..f.>.W..}. .Oeb...9.S.,J...r...0.<=..b..e....H...|zT5qns....S..O.'B..w.'.>D-..q.VM .X..^.....m....Husi...f.{B..2..B..^...z..Y.1.R.s.....{...+.i..TdC...r.h.._`...KqE..E....}....Fn.+...~..ct.m..u.........aF.L...Q..]@}....<x..X...W.p.....Q{3...^..cU;...#.Zm,..Z.N]9#V....G..).>...4....q..UFI.A...../k.Bc.{..:B#..Rk.D,.:.W.h...VV6.>....w...?..,...4d....m6\.:l.....9.....}..*....F.c..L...]....zz?......N..*.4..A)t..Q.......1...8.s`!2;.'..,M...o.......W...:..v+7...D.Z..J..g?J.,,...G1.6<....>_.......}h%.h}......mw.L.NS.GsE..:.S..[*....*z.W.y..3U..g....b=,...iYx.y.U................mtag..6+.....l.. ... ......D.Y.4-..g...:..\9...K...%w.{...1.4..m..4F.}y..%b.......4MoN...%0r.S12.W.Q-.Z.kC/..i...%.zw...p...8;...}.#.z..M...K5.M....>7...=...z...o....7...v&...+.A..{.B...N........;.@........R....X....1....XW....j. R.....\.1..z..<X.d..*l.w+.3|..=.. ..b;-.s
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.996546775800435
                            Encrypted:true
                            SSDEEP:768:OM8fzupqIW2Fco+I2nUZp3apRhoFQevWPlE8O89ZtYTL/FPk06HoP+Y6FY1ykws7:qaIb2FcoRGUZplFGwgEqHo2dkRvospf9
                            MD5:65C9E51864D8DD52F2E31A2DE279E0E3
                            SHA1:85C553B3704B09DEFB2C64C0112FD9097A48C9E8
                            SHA-256:568D2F12C6BB93BE575029FC3995FD3BC6C23A109EAE1808CCB1ED8FF4EE45DF
                            SHA-512:CC6B145E56F10DC8B5E61E5742AABD9902ACF21A3F241A3F6DFA490B4279C36C1ED04B6355A35CA3C22F95530CAF607C59A31513F65C56ADA9B9CF156B351B42
                            Malicious:false
                            Preview:7z..'...f(..........2.........6.~K..V...........#.*..0iIN._..r7.............b....|./.'*.}....5..l}G.W.........X@/...,.td...V...mT,.-.3.../.;mTH....8#i....v....A6<......-.h.X.}..k.)G.U..{'.w...q....U[%...ehB....JV4.C.........;.a..pF...}...?3.g..._:...{t..:...b.w.1.9...!...d..A.....'".u..|?..`...~...t|?.4........C..-.v.J..jK.Y;..u..U+`.a$....3H.....RA.v....k9.M....5e..;..R...]^4.<MP].|G...;.0..h..4....|J..7_...G..O...........{.[4.E..@.......#.s..1..f.yq&.z..Q.-&.B.....c.r.|..Yf[.^.4......_.o...).O..l...$..m].O[3.]}..$.....1.@...m;.R;c.=.ae.........t}.x.^.p.Eh.....:-SK.....?..?..:4..g..........%0..9..K...iy...D6..J.....F.33.<p.R`c....6.cSF.....n...z#Gkc.v'4..M.DG>>....L.....8.5.+..S.....'.l.2.....V)h.=e.P..]....[.-.`z8.g..2/...m..I..(..|..8..E<}....Y@p..>...|.e..&U.y...0x.I..C.6...Vry.dT...&+......J.`j,..........}s..;...>...BH. .P.0..nj'...+..G.06&.m.0#.zFw.4.OQ).Yd!..`...LN\z.n3..h..{.S9.S.|.uk.%9.%..Q.x...........^.i...d..Jt....
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):1298992
                            Entropy (8bit):7.999859712098505
                            Encrypted:true
                            SSDEEP:24576:lS6oXJtF6HcpRkxQVgWmX5UP4igmlSjb+lnlM+xXd8ZEIzkiC6/ahnW0ISNJi:lS6oXJjecpRkiq/udgmlSnynS+z8qIYc
                            MD5:682645AD9182AA4DEB865D068B1CCE11
                            SHA1:7587BB39554B309CDE18010293B4AE06C0F36DA8
                            SHA-256:CF7D68ABF8390DF41C07606FC533D758B9C21D02A85372B39D395BDD255C08B7
                            SHA-512:A1CCA2B1F05DDB5FD601A9ABF472208B95EEF62466507C2C21DD7CE5513E475F8E07A20E612DD98F5031D20589D4E3805F3BC815D1C45058E2C2D2FC9C39FE6E
                            Malicious:false
                            Preview:7z..'...............@.......#..;.A.....M^C..G.<.M.p.1...r...qE.dOR*...L..<.....4<.....d>L......]q....T.u_...0.vw......D...Up....A.3..'EN.h..Ew4......d.1G... .'.T....N.a.U....J.......*.E..t...!>.%NNf....]....b..2f.........2e.r...G..Zq....r.{.L.....=.Q...s.p......h,.....-.....-...v..qT.AKm.J..}o...N~X.h.yZ....U........1U.......#y.cRw..)c-\....J..e..c.64M}2Oyo{....J...a-..[v...N.u%....k[..U..U.W.0\.6.?J....kng..Qh.6.G....>..2........r.7...M...* ....S../!.fyR.h..pc ..;..g...$.....p.td{~....P\F..H.C#+..f..(.....Rc..pr..(..7....,.)Ow....A-s5..a.0.-..I.g#]$.:{..;U..Q2.&...bm|.f..pTKY...-..............-...A....e.=..n.Ht...O..y3]-k.{.C....0.i...c...Mg..+...'.w#.A....a..y..........i*.?.B..|f1.0.s].BA(.-74.D3..........a......d..^.....p.C..]..*.7...b....*b%&&.2..->N........R....<.Z.VG.e......+N..'.c....)....H+..F....C.V...z.^....`[.D.d..3.(....^.(&../..W.....9.gS`.j.`.....J.......Wq.r.'..P.Av.e..X.....7.K.rE}...........e...v5.}&../..).^.Q%
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            • Antivirus: Virustotal, Detection: 6%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.344834847024567
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                            MD5:7F252B19B6E96247184F55570325E9FA
                            SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                            SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                            SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1048934
                            Entropy (8bit):7.999810584659191
                            Encrypted:true
                            SSDEEP:24576:zzo7JKPe56MvMbFP0ERf6gc0mgl2Cz8fyDPPK+tNTbotfxeeW:zzo1KPepUP/f6Z0NlZsyjy+tZb4AeW
                            MD5:D6E21035CF34180A78FD0609ACFA9285
                            SHA1:721C65391A0C2E18987202864D1CB08F9545AA3D
                            SHA-256:D1B45E42ABAEB7560E8E186277974790F97E141CAFCC3FF920460E542F9CD1AF
                            SHA-512:566E9571B984CDBF2BC9E51101894BB0BF61E857C03D90888AB9EAF93B3BDB7368F274D21893281A4603FE6390CA66EE201E022D25DADBA804D3523DFDE69D6C
                            Malicious:false
                            Preview:.hi..2...%....H.k...J.o,ET$+V..<..p.O.c._...R.?R.zmf."<...U....Fh....g......,....4-....*-.........qC...r..%..4...{...h..gm\"..er.T....H.l{=.<l...}...e....u.wT..bf....$...Z......j#..?...7..k..m#..3..A*.....<9T.n...I...YY..2l..)O..r.+.f.G...y......"K..c.7ug..].........d&.$.....u.............V..c.J>U.@..>2....5i...f.RcVP.:..........~.......q)t....P.V.l.h2.E..;.qE3p.6.....dn..4...o.q...........p....&.H.. .Z~..K......T.|.c*Q.5.tfStC........~..AX.J,.....i.T)lY..S.z..sL._........].......evYr...M.[v..6+.r.. H.m.k4...x*w..X....Q.n~.......+y../z5..'.._$.{<&.dZu.z?SHeIn~V..m.....4.v.,Z.5.}..^.D/h..6.R.-8.q.O.d...a....h..B......(..Dm`*.).xCW.".......V.D.db......Y.7..r..6.*.0;$....4......[.`..8.b.....wb.H1...S....c...f/......j..NX..h1.....R.O.dm.P..g..)..KT.....x.y...H.|...1..k%...v.S...u,.6.bn~...^.....AS[..u...q.Q.G4x.KB..q....&.$...o.H.i.MoX.w.*..*..........K....@..SF.*[...u..H...{?.Z.x>.u.......&3.?......s...Px9.._;..-U....4.F...d*.%T..e..
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:Nlllultnxj:NllU
                            MD5:F93358E626551B46E6ED5A0A9D29BD51
                            SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                            SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                            SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                            Malicious:false
                            Preview:@...e................................................@..........
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                            Process:C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Antivirus:
                            • Antivirus: Virustotal, Detection: 15%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530561164569484
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:FFE4B45A6AE66BCB0FA01197725E2E27
                            SHA1:AA72B2B7AB2CAEE1068DDBB88302B8E366CF52C0
                            SHA-256:E69DC5ABBD55150D1A261D29754EE32283310D03F63C7B464F6B153817A33593
                            SHA-512:0D8E0E3C262493EC3F1805B1C063DA860A6DED98D1ECD9970FB4A402C8875A66A824B7BD889DA43841089EF208072DC15C6904EFC7D167FF4854C041778E0758
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530561164569484
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:FFE4B45A6AE66BCB0FA01197725E2E27
                            SHA1:AA72B2B7AB2CAEE1068DDBB88302B8E366CF52C0
                            SHA-256:E69DC5ABBD55150D1A261D29754EE32283310D03F63C7B464F6B153817A33593
                            SHA-512:0D8E0E3C262493EC3F1805B1C063DA860A6DED98D1ECD9970FB4A402C8875A66A824B7BD889DA43841089EF208072DC15C6904EFC7D167FF4854C041778E0758
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..
                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.926928632634154
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            File size:5'986'125 bytes
                            MD5:315719354db8520278ae3d022b90da14
                            SHA1:46a92e47bdea70bef469eca470bb3b280f0fcd06
                            SHA256:e9d2969683bcc59dee33d048904b3bfb7af7b140ce360a326bb5bb9b3ef3b57e
                            SHA512:7e8f27c638b512c07d65af3d38db4c494d1c839bf1e11158f75935986c6934cf6884cb8b2f48742d14ff747460599eb85e2f3a865584a6a9769b2776032747d2
                            SSDEEP:98304:XwREDF7dlsK9h1hNngwVtIyINldOA8WZFt9Z0lJdMwZgo:lNdNh7dIT3dOAlrMRB
                            TLSH:80561213F2CBE03EE05E0B3715B2A25484FB6A216522AE5796ECB4ECCF351601D3E647
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                            Icon Hash:0c0c2d33ceec80aa
                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc
                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F9B20AAA815h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F9B20B3C19Bh
                            call 00007F9B20B3BCEEh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F9B20B369C8h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F9B20AA48C3h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F9B20B37CF3h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F9B20B3C223h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F9B20B42F0Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F9B20B385E8h
                            mov edx, dword ptr [004B4200h]
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x110008d101b7c7b614b140e68d57e4bcf7223False0.18781594669117646data3.7235859696272633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2776203966005666
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c
                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States
                            No network behavior found

                            Click to jump to process

                            Click to jump to process

                            Click to dive into process behavior distribution

                            Click to jump to process

                            Target ID:0
                            Start time:22:51:58
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
                            Imagebase:0xcf0000
                            File size:5'986'125 bytes
                            MD5 hash:315719354DB8520278AE3D022B90DA14
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:1
                            Start time:22:51:58
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
                            Imagebase:0x4e0000
                            File size:3'366'912 bytes
                            MD5 hash:FFE4B45A6AE66BCB0FA01197725E2E27
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:2
                            Start time:22:51:59
                            Start date:23/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:3
                            Start time:22:51:59
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:4
                            Start time:22:51:59
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
                            Imagebase:0xcf0000
                            File size:5'986'125 bytes
                            MD5 hash:315719354DB8520278AE3D022B90DA14
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            Target ID:5
                            Start time:22:52:00
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$10488,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
                            Imagebase:0x340000
                            File size:3'366'912 bytes
                            MD5 hash:FFE4B45A6AE66BCB0FA01197725E2E27
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            Target ID:6
                            Start time:22:52:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:7
                            Start time:22:52:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:8
                            Start time:22:52:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x800000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:9
                            Start time:22:52:02
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0xb80000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Reputation:moderate
                            Has exited:true

                            Target ID:10
                            Start time:22:52:02
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:11
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0xb80000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            Target ID:12
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Target ID:13
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:14
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:15
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:16
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:17
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:18
                            Start time:22:52:03
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:19
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:20
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:21
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:22
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff693ab0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Target ID:23
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:24
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:25
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:26
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:27
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:28
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:29
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:30
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:31
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:32
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:33
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:34
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:35
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:36
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:37
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:38
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:39
                            Start time:22:52:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:40
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:41
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:42
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:43
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:44
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:45
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:46
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:47
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:48
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:49
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:50
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:51
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:52
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:53
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:54
                            Start time:22:52:05
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:55
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:56
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:57
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:58
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:59
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:60
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:61
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:62
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:63
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:64
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:65
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:66
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:67
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:68
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:69
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:70
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:71
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:72
                            Start time:22:52:06
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:73
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:74
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:75
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:76
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:77
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:78
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:79
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:80
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:81
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:82
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:83
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:84
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:85
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:86
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:87
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:88
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:89
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:90
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:91
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:92
                            Start time:22:52:07
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:93
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:94
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:95
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:96
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:97
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:98
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:99
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:100
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:101
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:102
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:103
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:104
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:105
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:106
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:107
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:108
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff73f480000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:109
                            Start time:22:52:08
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Target ID:110
                            Start time:22:52:09
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff6d1290000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Reset < >

                              Execution Graph

                              Execution Coverage:2.4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15%
                              Total number of Nodes:832
                              Total number of Limit Nodes:10
                              execution_graph 66094 6c634b53 66252 6c7b6a43 66094->66252 66096 6c634b5c _Yarn 66266 6c7aaec0 66096->66266 66098 6c65639e 66362 6c7c0130 18 API calls 2 library calls 66098->66362 66100 6c634cff 66101 6c635164 CreateFileA CloseHandle 66106 6c6351ec 66101->66106 66102 6c634bae std::ios_base::_Ios_base_dtor 66102->66098 66102->66100 66102->66101 66103 6c64245a _Yarn _strlen 66102->66103 66103->66098 66105 6c7aaec0 FindFirstFileA 66103->66105 66108 6c642a83 std::ios_base::_Ios_base_dtor 66105->66108 66270 6c7b5120 OpenSCManagerA 66106->66270 66108->66098 66274 6c7a0390 66108->66274 66109 6c63fc00 66355 6c7b5240 CreateToolhelp32Snapshot 66109->66355 66112 6c7b6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66147 6c635478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66112->66147 66114 6c6437d0 Sleep 66158 6c6437e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66114->66158 66115 6c7aaec0 FindFirstFileA 66115->66147 66116 6c6563b2 66363 6c6315e0 18 API calls std::ios_base::_Ios_base_dtor 66116->66363 66117 6c7b5240 4 API calls 66135 6c64053a 66117->66135 66119 6c7b5240 4 API calls 66139 6c6412e2 66119->66139 66120 6c6564f8 66121 6c63ffe3 66121->66117 66125 6c640abc 66121->66125 66122 6c656ba0 104 API calls 66122->66147 66123 6c656e60 32 API calls 66123->66147 66125->66103 66125->66119 66127 6c7b5240 4 API calls 66127->66125 66128 6c7b5240 4 API calls 66144 6c641dd9 66128->66144 66129 6c636722 66331 6c7b1880 25 API calls 4 library calls 66129->66331 66130 6c64211c 66130->66103 66131 6c64241a 66130->66131 66134 6c7a0390 11 API calls 66131->66134 66132 6c7aaec0 FindFirstFileA 66132->66158 66136 6c64244d 66134->66136 66135->66125 66135->66127 66361 6c7b5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66136->66361 66138 6c642452 Sleep 66138->66103 66139->66128 66139->66130 66151 6c6416ac 66139->66151 66140 6c636162 66141 6c63740b 66332 6c7b4ff0 CreateProcessA 66141->66332 66143 6c7b5240 4 API calls 66143->66130 66144->66130 66144->66143 66147->66098 66147->66109 66147->66112 66147->66115 66147->66122 66147->66123 66147->66129 66147->66140 66312 6c657090 66147->66312 66325 6c67e010 66147->66325 66148 6c657090 77 API calls 66148->66158 66149 6c67e010 67 API calls 66149->66158 66150 6c63775a _strlen 66150->66098 66152 6c637b92 66150->66152 66153 6c637ba9 66150->66153 66156 6c637b43 _Yarn 66150->66156 66154 6c7b6a43 std::_Facet_Register 4 API calls 66152->66154 66155 6c7b6a43 std::_Facet_Register 4 API calls 66153->66155 66154->66156 66155->66156 66157 6c7aaec0 FindFirstFileA 66156->66157 66167 6c637be7 std::ios_base::_Ios_base_dtor 66157->66167 66158->66098 66158->66132 66158->66148 66158->66149 66283 6c656ba0 66158->66283 66302 6c656e60 66158->66302 66159 6c7b4ff0 4 API calls 66170 6c638a07 66159->66170 66160 6c63962c _strlen 66160->66098 66161 6c639d68 66160->66161 66162 6c639d7f 66160->66162 66165 6c639d18 _Yarn 66160->66165 66163 6c7b6a43 std::_Facet_Register 4 API calls 66161->66163 66164 6c7b6a43 std::_Facet_Register 4 API calls 66162->66164 66163->66165 66164->66165 66166 6c7aaec0 FindFirstFileA 66165->66166 66173 6c639dbd std::ios_base::_Ios_base_dtor 66166->66173 66167->66098 66167->66159 66167->66160 66168 6c638387 66167->66168 66169 6c7b4ff0 4 API calls 66179 6c639120 66169->66179 66170->66169 66171 6c7b4ff0 4 API calls 66188 6c63a215 _strlen 66171->66188 66172 6c7b4ff0 4 API calls 66175 6c639624 66172->66175 66173->66098 66173->66171 66178 6c63e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66173->66178 66174 6c7b6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66174->66178 66336 6c7b5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66175->66336 66177 6c7aaec0 FindFirstFileA 66177->66178 66178->66098 66178->66174 66178->66177 66180 6c63ed02 Sleep 66178->66180 66181 6c63f7b1 66178->66181 66179->66172 66200 6c63e8c1 66180->66200 66354 6c7b5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66181->66354 66183 6c63a9a4 66186 6c7b6a43 std::_Facet_Register 4 API calls 66183->66186 66184 6c63a9bb 66187 6c7b6a43 std::_Facet_Register 4 API calls 66184->66187 66185 6c63e8dd GetCurrentProcess TerminateProcess 66185->66178 66195 6c63a953 _Yarn _strlen 66186->66195 66187->66195 66188->66098 66188->66183 66188->66184 66188->66195 66189 6c7b4ff0 4 API calls 66189->66200 66190 6c63fbb8 66191 6c63fbe8 ExitWindowsEx Sleep 66190->66191 66191->66109 66192 6c63f7c0 66192->66190 66193 6c63aff0 66196 6c7b6a43 std::_Facet_Register 4 API calls 66193->66196 66194 6c63b009 66197 6c7b6a43 std::_Facet_Register 4 API calls 66194->66197 66195->66116 66195->66193 66195->66194 66198 6c63afa0 _Yarn 66195->66198 66196->66198 66197->66198 66337 6c7b5960 66198->66337 66200->66178 66200->66185 66200->66189 66201 6c63b059 std::ios_base::_Ios_base_dtor _strlen 66201->66098 66202 6c63b443 66201->66202 66203 6c63b42c 66201->66203 66206 6c63b3da _Yarn _strlen 66201->66206 66205 6c7b6a43 std::_Facet_Register 4 API calls 66202->66205 66204 6c7b6a43 std::_Facet_Register 4 API calls 66203->66204 66204->66206 66205->66206 66206->66116 66207 6c63b7b7 66206->66207 66208 6c63b79e 66206->66208 66211 6c63b751 _Yarn 66206->66211 66210 6c7b6a43 std::_Facet_Register 4 API calls 66207->66210 66209 6c7b6a43 std::_Facet_Register 4 API calls 66208->66209 66209->66211 66210->66211 66212 6c7b5960 104 API calls 66211->66212 66213 6c63b804 std::ios_base::_Ios_base_dtor _strlen 66212->66213 66213->66098 66214 6c63bc26 66213->66214 66215 6c63bc0f 66213->66215 66218 6c63bbbd _Yarn _strlen 66213->66218 66217 6c7b6a43 std::_Facet_Register 4 API calls 66214->66217 66216 6c7b6a43 std::_Facet_Register 4 API calls 66215->66216 66216->66218 66217->66218 66218->66116 66219 6c63c075 66218->66219 66220 6c63c08e 66218->66220 66223 6c63c028 _Yarn 66218->66223 66221 6c7b6a43 std::_Facet_Register 4 API calls 66219->66221 66222 6c7b6a43 std::_Facet_Register 4 API calls 66220->66222 66221->66223 66222->66223 66224 6c7b5960 104 API calls 66223->66224 66229 6c63c0db std::ios_base::_Ios_base_dtor _strlen 66224->66229 66225 6c63c7a5 66227 6c7b6a43 std::_Facet_Register 4 API calls 66225->66227 66226 6c63c7bc 66228 6c7b6a43 std::_Facet_Register 4 API calls 66226->66228 66237 6c63c753 _Yarn _strlen 66227->66237 66228->66237 66229->66098 66229->66225 66229->66226 66229->66237 66230 6c63d406 66233 6c7b6a43 std::_Facet_Register 4 API calls 66230->66233 66231 6c63d3ed 66232 6c7b6a43 std::_Facet_Register 4 API calls 66231->66232 66234 6c63d39a _Yarn 66232->66234 66233->66234 66235 6c7b5960 104 API calls 66234->66235 66238 6c63d458 std::ios_base::_Ios_base_dtor _strlen 66235->66238 66236 6c63cb2f 66237->66116 66237->66230 66237->66231 66237->66234 66237->66236 66238->66098 66239 6c63d8a4 66238->66239 66240 6c63d8bb 66238->66240 66243 6c63d852 _Yarn _strlen 66238->66243 66241 6c7b6a43 std::_Facet_Register 4 API calls 66239->66241 66242 6c7b6a43 std::_Facet_Register 4 API calls 66240->66242 66241->66243 66242->66243 66243->66116 66244 6c63dcb6 66243->66244 66245 6c63dccf 66243->66245 66248 6c63dc69 _Yarn 66243->66248 66246 6c7b6a43 std::_Facet_Register 4 API calls 66244->66246 66247 6c7b6a43 std::_Facet_Register 4 API calls 66245->66247 66246->66248 66247->66248 66249 6c7b5960 104 API calls 66248->66249 66251 6c63dd1c std::ios_base::_Ios_base_dtor 66249->66251 66250 6c7b4ff0 4 API calls 66250->66178 66251->66098 66251->66250 66253 6c7b6a48 66252->66253 66254 6c7b6a62 66253->66254 66257 6c7b6a64 std::_Facet_Register 66253->66257 66364 6c7bf014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66253->66364 66254->66096 66256 6c7b78c3 std::_Facet_Register 66368 6c7b9379 RaiseException 66256->66368 66257->66256 66365 6c7b9379 RaiseException 66257->66365 66259 6c7b80bc IsProcessorFeaturePresent 66265 6c7b80e1 66259->66265 66261 6c7b7883 66366 6c7b9379 RaiseException 66261->66366 66263 6c7b78a3 std::invalid_argument::invalid_argument 66367 6c7b9379 RaiseException 66263->66367 66265->66096 66267 6c7aaed6 FindFirstFileA 66266->66267 66268 6c7aaed4 66266->66268 66269 6c7aaf10 66267->66269 66268->66267 66269->66102 66272 6c7b5156 66270->66272 66271 6c7b51e8 OpenServiceA 66271->66272 66272->66271 66273 6c7b522f 66272->66273 66273->66147 66279 6c7a03a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66274->66279 66275 6c7a3f5f CloseHandle 66275->66279 66276 6c7a310e CloseHandle 66276->66279 66277 6c7a251b CloseHandle 66277->66279 66278 6c6437cb 66282 6c7b5d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66278->66282 66279->66275 66279->66276 66279->66277 66279->66278 66280 6c78c1e0 WriteFile WriteFile WriteFile ReadFile 66279->66280 66369 6c78b730 66279->66369 66280->66279 66282->66114 66284 6c656bd5 66283->66284 66380 6c682020 66284->66380 66286 6c656c68 66287 6c7b6a43 std::_Facet_Register 4 API calls 66286->66287 66288 6c656ca0 66287->66288 66397 6c7b7327 66288->66397 66290 6c656cb4 66409 6c681d90 66290->66409 66293 6c656d8e 66293->66158 66295 6c656dc8 66417 6c6826e0 24 API calls 4 library calls 66295->66417 66297 6c656dda 66418 6c7b9379 RaiseException 66297->66418 66299 6c656def 66300 6c67e010 67 API calls 66299->66300 66301 6c656e0f 66300->66301 66301->66158 66303 6c656e9f 66302->66303 66306 6c656eb3 66303->66306 66813 6c683560 32 API calls std::_Xinvalid_argument 66303->66813 66308 6c656f5b 66306->66308 66815 6c682250 30 API calls 66306->66815 66816 6c6826e0 24 API calls 4 library calls 66306->66816 66817 6c7b9379 RaiseException 66306->66817 66309 6c656f6e 66308->66309 66814 6c6837e0 32 API calls std::_Xinvalid_argument 66308->66814 66309->66158 66313 6c65709e 66312->66313 66317 6c6570d1 66312->66317 66818 6c6801f0 66313->66818 66315 6c657183 66315->66147 66317->66315 66822 6c682250 30 API calls 66317->66822 66318 6c7c0b18 67 API calls 66318->66317 66320 6c6571ae 66823 6c682340 24 API calls 66320->66823 66322 6c6571be 66824 6c7b9379 RaiseException 66322->66824 66324 6c6571c9 66326 6c67e04b 66325->66326 66327 6c6801f0 64 API calls 66326->66327 66328 6c67e0a3 66326->66328 66329 6c67e098 66327->66329 66328->66147 66330 6c7c0b18 67 API calls 66329->66330 66330->66328 66331->66141 66333 6c7b50ca 66332->66333 66334 6c7b5080 WaitForSingleObject CloseHandle CloseHandle 66333->66334 66335 6c7b50e3 66333->66335 66334->66333 66335->66150 66336->66160 66338 6c7b59b7 66337->66338 66870 6c7b5ff0 66338->66870 66340 6c7b59c8 66341 6c656ba0 104 API calls 66340->66341 66345 6c7b59ec 66341->66345 66342 6c67e010 67 API calls 66343 6c7b5a9f std::ios_base::_Ios_base_dtor 66342->66343 66346 6c67e010 67 API calls 66343->66346 66347 6c7b5a54 66345->66347 66353 6c7b5a67 66345->66353 66889 6c7b6340 66345->66889 66897 6c692000 66345->66897 66348 6c7b5ae2 std::ios_base::_Ios_base_dtor 66346->66348 66907 6c7b5b90 66347->66907 66348->66201 66351 6c7b5a5c 66352 6c657090 77 API calls 66351->66352 66352->66353 66353->66342 66354->66192 66356 6c7b52a0 std::locale::_Setgloballocale 66355->66356 66357 6c7b5277 CloseHandle 66356->66357 66358 6c7b5320 Process32NextW 66356->66358 66359 6c7b53b1 66356->66359 66360 6c7b5345 Process32FirstW 66356->66360 66357->66356 66358->66356 66359->66121 66360->66356 66361->66138 66363->66120 66364->66253 66365->66261 66366->66263 66367->66256 66368->66259 66370 6c78b743 _Yarn __wsopen_s std::locale::_Setgloballocale 66369->66370 66371 6c78c180 66370->66371 66372 6c78bced CreateFileA 66370->66372 66374 6c78aa30 66370->66374 66371->66279 66372->66370 66375 6c78aa43 __wsopen_s std::locale::_Setgloballocale 66374->66375 66376 6c78b3e9 WriteFile 66375->66376 66377 6c78b43d WriteFile 66375->66377 66378 6c78b718 66375->66378 66379 6c78ab95 ReadFile 66375->66379 66376->66375 66377->66375 66378->66370 66379->66375 66381 6c7b6a43 std::_Facet_Register 4 API calls 66380->66381 66382 6c68207e 66381->66382 66383 6c7b7327 43 API calls 66382->66383 66384 6c682092 66383->66384 66419 6c682f60 42 API calls 4 library calls 66384->66419 66386 6c6820c8 66387 6c682136 66386->66387 66389 6c68210d 66386->66389 66421 6c682250 30 API calls 66387->66421 66388 6c682120 66388->66286 66389->66388 66420 6c7b6f8e 9 API calls 2 library calls 66389->66420 66392 6c68215b 66422 6c682340 24 API calls 66392->66422 66394 6c682171 66423 6c7b9379 RaiseException 66394->66423 66396 6c68217c 66396->66286 66398 6c7b7333 __EH_prolog3 66397->66398 66424 6c7b6eb5 66398->66424 66403 6c7b7351 66438 6c7b73ba 39 API calls std::locale::_Setgloballocale 66403->66438 66404 6c7b736f 66430 6c7b6ee6 66404->66430 66405 6c7b73ac 66405->66290 66407 6c7b7359 66439 6c7b71b1 HeapFree GetLastError _Yarn 66407->66439 66410 6c681ddc 66409->66410 66411 6c656d5d 66409->66411 66444 6c7b7447 66410->66444 66411->66293 66416 6c682250 30 API calls 66411->66416 66415 6c681e82 66416->66295 66417->66297 66418->66299 66419->66386 66420->66388 66421->66392 66422->66394 66423->66396 66425 6c7b6ec4 66424->66425 66428 6c7b6ecb 66424->66428 66440 6c7c03cd 6 API calls std::_Lockit::_Lockit 66425->66440 66427 6c7b6ec9 66427->66404 66437 6c7b7230 6 API calls 2 library calls 66427->66437 66428->66427 66441 6c7b858b EnterCriticalSection 66428->66441 66431 6c7c03db 66430->66431 66432 6c7b6ef0 66430->66432 66443 6c7c03b6 LeaveCriticalSection 66431->66443 66434 6c7b6f03 66432->66434 66442 6c7b8599 LeaveCriticalSection 66432->66442 66434->66405 66436 6c7c03e2 66436->66405 66437->66403 66438->66407 66439->66404 66440->66427 66441->66427 66442->66434 66443->66436 66445 6c7b7450 66444->66445 66446 6c681dea 66445->66446 66453 6c7bfd4a 66445->66453 66446->66411 66452 6c7bc563 18 API calls __fassign 66446->66452 66448 6c7b749c 66448->66446 66464 6c7bfa58 65 API calls 66448->66464 66450 6c7b74b7 66450->66446 66465 6c7c0b18 66450->66465 66452->66415 66455 6c7bfd55 __wsopen_s 66453->66455 66454 6c7bfd68 66490 6c7c0120 18 API calls __fassign 66454->66490 66455->66454 66456 6c7bfd88 66455->66456 66458 6c7bfd78 66456->66458 66476 6c7cae0c 66456->66476 66458->66448 66464->66450 66466 6c7c0b24 __wsopen_s 66465->66466 66467 6c7c0b43 66466->66467 66469 6c7c0b2e 66466->66469 66474 6c7c0b3e 66467->66474 66671 6c7bc5a9 EnterCriticalSection 66467->66671 66686 6c7c0120 18 API calls __fassign 66469->66686 66470 6c7c0b60 66672 6c7c0b9c 66470->66672 66473 6c7c0b6b 66687 6c7c0b92 LeaveCriticalSection 66473->66687 66474->66446 66477 6c7cae18 __wsopen_s 66476->66477 66492 6c7c039f EnterCriticalSection 66477->66492 66479 6c7cae26 66493 6c7caeb0 66479->66493 66484 6c7caf72 66485 6c7cb091 66484->66485 66517 6c7cb114 66485->66517 66488 6c7bfdcc 66491 6c7bfdf5 LeaveCriticalSection 66488->66491 66490->66458 66491->66458 66492->66479 66494 6c7caed3 66493->66494 66495 6c7caf2b 66494->66495 66501 6c7cae33 66494->66501 66510 6c7bc5a9 EnterCriticalSection 66494->66510 66511 6c7bc5bd LeaveCriticalSection 66494->66511 66512 6c7c71e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66495->66512 66497 6c7caf34 66513 6c7c47bb HeapFree GetLastError _free 66497->66513 66500 6c7caf3d 66500->66501 66514 6c7c6c1f 6 API calls std::_Lockit::_Lockit 66500->66514 66507 6c7cae6c 66501->66507 66504 6c7caf5c 66515 6c7bc5a9 EnterCriticalSection 66504->66515 66506 6c7caf6f 66506->66501 66516 6c7c03b6 LeaveCriticalSection 66507->66516 66509 6c7bfda3 66509->66458 66509->66484 66510->66494 66511->66494 66512->66497 66513->66500 66514->66504 66515->66506 66516->66509 66518 6c7cb133 66517->66518 66519 6c7cb146 66518->66519 66523 6c7cb15b 66518->66523 66533 6c7c0120 18 API calls __fassign 66519->66533 66521 6c7cb0a7 66521->66488 66530 6c7d3fde 66521->66530 66528 6c7cb27b 66523->66528 66534 6c7d3ea8 37 API calls __fassign 66523->66534 66525 6c7cb2cb 66525->66528 66535 6c7d3ea8 37 API calls __fassign 66525->66535 66527 6c7cb2e9 66527->66528 66536 6c7d3ea8 37 API calls __fassign 66527->66536 66528->66521 66537 6c7c0120 18 API calls __fassign 66528->66537 66538 6c7d4396 66530->66538 66533->66521 66534->66525 66535->66527 66536->66528 66537->66521 66540 6c7d43a2 __wsopen_s 66538->66540 66539 6c7d43a9 66556 6c7c0120 18 API calls __fassign 66539->66556 66540->66539 66541 6c7d43d4 66540->66541 66547 6c7d3ffe 66541->66547 66544 6c7d3ff9 66544->66488 66558 6c7c06cb 66547->66558 66553 6c7d4034 66554 6c7d4066 66553->66554 66598 6c7c47bb HeapFree GetLastError _free 66553->66598 66557 6c7d442b LeaveCriticalSection __wsopen_s 66554->66557 66556->66544 66557->66544 66599 6c7bbceb 66558->66599 66561 6c7c06ef 66563 6c7bbdf6 66561->66563 66608 6c7bbe4e 66563->66608 66565 6c7bbe0e 66565->66553 66566 6c7d406c 66565->66566 66623 6c7d44ec 66566->66623 66572 6c7d4115 66574 6c7d4192 GetFileType 66572->66574 66576 6c7d4167 GetLastError 66572->66576 66651 6c7d4457 CreateFileW 66572->66651 66573 6c7d409e __dosmaperr 66573->66553 66575 6c7d419d GetLastError 66574->66575 66578 6c7d41e4 66574->66578 66652 6c7bf9f2 __dosmaperr _free 66575->66652 66576->66573 66653 6c7d17b0 SetStdHandle __dosmaperr __wsopen_s 66578->66653 66579 6c7d41ab CloseHandle 66579->66573 66595 6c7d41d4 66579->66595 66582 6c7d415a 66582->66574 66582->66576 66583 6c7d4205 66584 6c7d4251 66583->66584 66654 6c7d4666 70 API calls 2 library calls 66583->66654 66588 6c7d4258 66584->66588 66668 6c7d4710 70 API calls 2 library calls 66584->66668 66587 6c7d4286 66587->66588 66589 6c7d4294 66587->66589 66655 6c7cb925 66588->66655 66589->66573 66591 6c7d4310 CloseHandle 66589->66591 66669 6c7d4457 CreateFileW 66591->66669 66593 6c7d433b 66594 6c7d4345 GetLastError 66593->66594 66593->66595 66596 6c7d4351 __dosmaperr 66594->66596 66595->66573 66670 6c7d171f SetStdHandle __dosmaperr __wsopen_s 66596->66670 66598->66554 66600 6c7bbd0b 66599->66600 66601 6c7bbd02 66599->66601 66600->66601 66602 6c7c49b2 __Getctype 37 API calls 66600->66602 66601->66561 66607 6c7c69d5 5 API calls std::_Lockit::_Lockit 66601->66607 66603 6c7bbd2b 66602->66603 66604 6c7c4f28 __Getctype 37 API calls 66603->66604 66605 6c7bbd41 66604->66605 66606 6c7c4f55 __fassign 37 API calls 66605->66606 66606->66601 66607->66561 66609 6c7bbe5c 66608->66609 66610 6c7bbe76 66608->66610 66611 6c7bbddc __wsopen_s HeapFree GetLastError 66609->66611 66612 6c7bbe7d 66610->66612 66613 6c7bbe9c 66610->66613 66614 6c7bbe66 __dosmaperr 66611->66614 66612->66614 66616 6c7bbd9d __wsopen_s HeapFree GetLastError 66612->66616 66615 6c7c4843 __fassign MultiByteToWideChar 66613->66615 66614->66565 66619 6c7bbeab 66615->66619 66616->66614 66617 6c7bbeb2 GetLastError 66617->66614 66618 6c7bbed8 66618->66614 66621 6c7c4843 __fassign MultiByteToWideChar 66618->66621 66619->66617 66619->66618 66620 6c7bbd9d __wsopen_s HeapFree GetLastError 66619->66620 66620->66618 66622 6c7bbeef 66621->66622 66622->66614 66622->66617 66624 6c7d4527 66623->66624 66626 6c7d450d 66623->66626 66625 6c7d447c __wsopen_s 18 API calls 66624->66625 66630 6c7d455f 66625->66630 66626->66624 66627 6c7c0120 __fassign 18 API calls 66626->66627 66627->66624 66628 6c7d458e 66629 6c7d5911 __wsopen_s 18 API calls 66628->66629 66635 6c7d4089 66628->66635 66631 6c7d45dc 66629->66631 66630->66628 66633 6c7c0120 __fassign 18 API calls 66630->66633 66632 6c7d4659 66631->66632 66631->66635 66634 6c7c014d __Getctype 11 API calls 66632->66634 66633->66628 66636 6c7d4665 66634->66636 66635->66573 66637 6c7d160c 66635->66637 66638 6c7d1618 __wsopen_s 66637->66638 66639 6c7c039f std::_Lockit::_Lockit EnterCriticalSection 66638->66639 66644 6c7d161f 66639->66644 66640 6c7d1644 66642 6c7d1842 __wsopen_s 11 API calls 66640->66642 66641 6c7d1716 __wsopen_s LeaveCriticalSection 66643 6c7d1686 66641->66643 66645 6c7d1649 66642->66645 66643->66573 66650 6c7d4457 CreateFileW 66643->66650 66644->66640 66646 6c7d16b3 EnterCriticalSection 66644->66646 66647 6c7d1666 66644->66647 66645->66647 66649 6c7d1990 __wsopen_s EnterCriticalSection 66645->66649 66646->66647 66648 6c7d16c0 LeaveCriticalSection 66646->66648 66647->66641 66648->66644 66649->66647 66650->66572 66651->66582 66652->66579 66653->66583 66654->66584 66656 6c7d15a2 __wsopen_s 18 API calls 66655->66656 66659 6c7cb935 66656->66659 66657 6c7cb93b 66658 6c7d171f __wsopen_s SetStdHandle 66657->66658 66667 6c7cb993 __dosmaperr 66658->66667 66659->66657 66660 6c7cb96d 66659->66660 66661 6c7d15a2 __wsopen_s 18 API calls 66659->66661 66660->66657 66662 6c7d15a2 __wsopen_s 18 API calls 66660->66662 66663 6c7cb964 66661->66663 66664 6c7cb979 CloseHandle 66662->66664 66665 6c7d15a2 __wsopen_s 18 API calls 66663->66665 66664->66657 66666 6c7cb985 GetLastError 66664->66666 66665->66660 66666->66657 66667->66573 66668->66587 66669->66593 66670->66595 66671->66470 66673 6c7c0bbe 66672->66673 66674 6c7c0ba9 66672->66674 66678 6c7c0bb9 66673->66678 66688 6c7c0cb9 66673->66688 66710 6c7c0120 18 API calls __fassign 66674->66710 66678->66473 66682 6c7c0be1 66703 6c7cb898 66682->66703 66684 6c7c0be7 66684->66678 66711 6c7c47bb HeapFree GetLastError _free 66684->66711 66686->66474 66687->66474 66689 6c7c0cd1 66688->66689 66693 6c7c0bd3 66688->66693 66690 6c7c9c60 18 API calls 66689->66690 66689->66693 66691 6c7c0cef 66690->66691 66712 6c7cbb6c 66691->66712 66694 6c7c873e 66693->66694 66695 6c7c0bdb 66694->66695 66696 6c7c8755 66694->66696 66698 6c7c9c60 66695->66698 66696->66695 66800 6c7c47bb HeapFree GetLastError _free 66696->66800 66699 6c7c9c6c 66698->66699 66700 6c7c9c81 66698->66700 66801 6c7c0120 18 API calls __fassign 66699->66801 66700->66682 66702 6c7c9c7c 66702->66682 66704 6c7cb8be 66703->66704 66705 6c7cb8a9 __dosmaperr 66703->66705 66706 6c7cb8e5 66704->66706 66707 6c7cb907 __dosmaperr 66704->66707 66705->66684 66802 6c7cb9c1 66706->66802 66810 6c7c0120 18 API calls __fassign 66707->66810 66710->66678 66711->66678 66713 6c7cbb78 __wsopen_s 66712->66713 66714 6c7cbb80 __dosmaperr 66713->66714 66715 6c7cbbca 66713->66715 66717 6c7cbc33 __dosmaperr 66713->66717 66714->66693 66723 6c7d1990 EnterCriticalSection 66715->66723 66753 6c7c0120 18 API calls __fassign 66717->66753 66718 6c7cbbd0 66720 6c7cbbec __dosmaperr 66718->66720 66724 6c7cbc5e 66718->66724 66752 6c7cbc2b LeaveCriticalSection __wsopen_s 66720->66752 66723->66718 66725 6c7cbc80 66724->66725 66751 6c7cbc9c __dosmaperr 66724->66751 66726 6c7cbcd4 66725->66726 66728 6c7cbc84 __dosmaperr 66725->66728 66727 6c7cbce7 66726->66727 66762 6c7cac69 20 API calls __wsopen_s 66726->66762 66754 6c7cbe40 66727->66754 66761 6c7c0120 18 API calls __fassign 66728->66761 66733 6c7cbd3c 66735 6c7cbd95 WriteFile 66733->66735 66736 6c7cbd50 66733->66736 66734 6c7cbcfd 66737 6c7cbd26 66734->66737 66738 6c7cbd01 66734->66738 66741 6c7cbdb9 GetLastError 66735->66741 66735->66751 66739 6c7cbd5b 66736->66739 66740 6c7cbd85 66736->66740 66764 6c7cbeb1 43 API calls 5 library calls 66737->66764 66738->66751 66763 6c7cc25b 6 API calls __wsopen_s 66738->66763 66743 6c7cbd75 66739->66743 66744 6c7cbd60 66739->66744 66767 6c7cc2c3 7 API calls 2 library calls 66740->66767 66741->66751 66766 6c7cc487 8 API calls 3 library calls 66743->66766 66747 6c7cbd65 66744->66747 66744->66751 66765 6c7cc39e 7 API calls 2 library calls 66747->66765 66749 6c7cbd73 66749->66751 66751->66720 66752->66714 66753->66714 66768 6c7d19e5 66754->66768 66756 6c7cbe51 66760 6c7cbcf8 66756->66760 66773 6c7c49b2 GetLastError 66756->66773 66758 6c7cbe8e GetConsoleMode 66758->66760 66760->66733 66760->66734 66761->66751 66762->66727 66763->66751 66764->66751 66765->66749 66766->66749 66767->66749 66770 6c7d19f2 66768->66770 66771 6c7d19ff 66768->66771 66769 6c7d1a0b 66769->66756 66770->66756 66771->66769 66772 6c7c0120 __fassign 18 API calls 66771->66772 66772->66770 66774 6c7c49c9 66773->66774 66777 6c7c49cf 66773->66777 66775 6c7c6b23 __Getctype 6 API calls 66774->66775 66775->66777 66776 6c7c6b62 __Getctype 6 API calls 66778 6c7c49ed 66776->66778 66777->66776 66779 6c7c49d5 SetLastError 66777->66779 66778->66779 66780 6c7c49f1 66778->66780 66786 6c7c4a69 66779->66786 66787 6c7c4a63 66779->66787 66781 6c7c71e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 66780->66781 66782 6c7c49fd 66781->66782 66784 6c7c4a1c 66782->66784 66785 6c7c4a05 66782->66785 66790 6c7c6b62 __Getctype 6 API calls 66784->66790 66788 6c7c6b62 __Getctype 6 API calls 66785->66788 66789 6c7c0ac9 __Getctype 35 API calls 66786->66789 66787->66758 66787->66760 66791 6c7c4a13 66788->66791 66792 6c7c4a6e 66789->66792 66793 6c7c4a28 66790->66793 66796 6c7c47bb _free HeapFree GetLastError 66791->66796 66794 6c7c4a2c 66793->66794 66795 6c7c4a3d 66793->66795 66797 6c7c6b62 __Getctype 6 API calls 66794->66797 66799 6c7c47bb _free HeapFree GetLastError 66795->66799 66798 6c7c4a19 66796->66798 66797->66791 66798->66779 66799->66798 66800->66695 66801->66702 66803 6c7cb9cd __wsopen_s 66802->66803 66811 6c7d1990 EnterCriticalSection 66803->66811 66805 6c7cb9db 66806 6c7cb925 __wsopen_s 21 API calls 66805->66806 66807 6c7cba08 66805->66807 66806->66807 66812 6c7cba41 LeaveCriticalSection __wsopen_s 66807->66812 66809 6c7cba2a 66809->66705 66810->66705 66811->66805 66812->66809 66813->66306 66814->66309 66815->66306 66816->66306 66817->66306 66819 6c68022e 66818->66819 66820 6c6570c4 66819->66820 66825 6c7c17db 66819->66825 66820->66318 66822->66320 66823->66322 66824->66324 66826 6c7c17e9 66825->66826 66827 6c7c1806 66825->66827 66826->66827 66828 6c7c180a 66826->66828 66829 6c7c17f6 66826->66829 66827->66819 66833 6c7c1a02 66828->66833 66841 6c7c0120 18 API calls __fassign 66829->66841 66834 6c7c1a0e __wsopen_s 66833->66834 66842 6c7bc5a9 EnterCriticalSection 66834->66842 66836 6c7c1a1c 66843 6c7c19bf 66836->66843 66840 6c7c183c 66840->66819 66841->66827 66842->66836 66851 6c7c85a6 66843->66851 66849 6c7c19f9 66850 6c7c1a51 LeaveCriticalSection 66849->66850 66850->66840 66852 6c7c9c60 18 API calls 66851->66852 66853 6c7c85b7 66852->66853 66854 6c7d19e5 __wsopen_s 18 API calls 66853->66854 66856 6c7c85bd __wsopen_s 66854->66856 66855 6c7c19d3 66858 6c7c183e 66855->66858 66856->66855 66868 6c7c47bb HeapFree GetLastError _free 66856->66868 66860 6c7c1850 66858->66860 66862 6c7c186e 66858->66862 66859 6c7c185e 66869 6c7c0120 18 API calls __fassign 66859->66869 66860->66859 66860->66862 66865 6c7c1886 _Yarn 66860->66865 66867 6c7c8659 62 API calls 66862->66867 66863 6c7c0cb9 62 API calls 66863->66865 66864 6c7c9c60 18 API calls 66864->66865 66865->66862 66865->66863 66865->66864 66866 6c7cbb6c __wsopen_s 62 API calls 66865->66866 66866->66865 66867->66849 66868->66855 66869->66862 66871 6c7b6025 66870->66871 66872 6c682020 52 API calls 66871->66872 66873 6c7b60c6 66872->66873 66874 6c7b6a43 std::_Facet_Register 4 API calls 66873->66874 66875 6c7b60fe 66874->66875 66876 6c7b7327 43 API calls 66875->66876 66877 6c7b6112 66876->66877 66878 6c681d90 89 API calls 66877->66878 66879 6c7b61bb 66878->66879 66880 6c7b61ec 66879->66880 66922 6c682250 30 API calls 66879->66922 66880->66340 66882 6c7b6226 66923 6c6826e0 24 API calls 4 library calls 66882->66923 66884 6c7b6238 66924 6c7b9379 RaiseException 66884->66924 66886 6c7b624d 66887 6c67e010 67 API calls 66886->66887 66888 6c7b625f 66887->66888 66888->66340 66890 6c7b638d 66889->66890 66925 6c7b65a0 66890->66925 66892 6c7b647c 66892->66345 66895 6c7b63a5 66895->66892 66943 6c682250 30 API calls 66895->66943 66944 6c6826e0 24 API calls 4 library calls 66895->66944 66945 6c7b9379 RaiseException 66895->66945 66898 6c69203f 66897->66898 66901 6c692053 66898->66901 66954 6c683560 32 API calls std::_Xinvalid_argument 66898->66954 66902 6c69210e 66901->66902 66956 6c682250 30 API calls 66901->66956 66957 6c6826e0 24 API calls 4 library calls 66901->66957 66958 6c7b9379 RaiseException 66901->66958 66906 6c692121 66902->66906 66955 6c6837e0 32 API calls std::_Xinvalid_argument 66902->66955 66906->66345 66908 6c7b5b9e 66907->66908 66911 6c7b5bd1 66907->66911 66910 6c6801f0 64 API calls 66908->66910 66909 6c7b5c83 66909->66351 66912 6c7b5bc4 66910->66912 66911->66909 66959 6c682250 30 API calls 66911->66959 66914 6c7c0b18 67 API calls 66912->66914 66914->66911 66915 6c7b5cae 66960 6c682340 24 API calls 66915->66960 66917 6c7b5cbe 66961 6c7b9379 RaiseException 66917->66961 66919 6c7b5cc9 66920 6c67e010 67 API calls 66919->66920 66921 6c7b5d22 std::ios_base::_Ios_base_dtor 66920->66921 66921->66351 66922->66882 66923->66884 66924->66886 66926 6c7b6608 66925->66926 66927 6c7b65dc 66925->66927 66933 6c7b6619 66926->66933 66946 6c683560 32 API calls std::_Xinvalid_argument 66926->66946 66941 6c7b6601 66927->66941 66948 6c682250 30 API calls 66927->66948 66930 6c7b67e8 66949 6c682340 24 API calls 66930->66949 66932 6c7b67f7 66950 6c7b9379 RaiseException 66932->66950 66933->66941 66947 6c682f60 42 API calls 4 library calls 66933->66947 66937 6c7b6827 66952 6c682340 24 API calls 66937->66952 66939 6c7b683d 66953 6c7b9379 RaiseException 66939->66953 66941->66895 66942 6c7b6653 66942->66941 66951 6c682250 30 API calls 66942->66951 66943->66895 66944->66895 66945->66895 66946->66933 66947->66942 66948->66930 66949->66932 66950->66942 66951->66937 66952->66939 66953->66941 66954->66901 66955->66906 66956->66901 66957->66901 66958->66901 66959->66915 66960->66917 66961->66919 66962 6c633d62 66964 6c633bc0 66962->66964 66963 6c633e8a GetCurrentThread NtSetInformationThread 66965 6c633eea 66963->66965 66964->66963 66966 6c644a27 66967 6c644a5d _strlen 66966->66967 66968 6c65639e 66967->66968 66969 6c645b6f 66967->66969 66970 6c645b58 66967->66970 66974 6c645b09 _Yarn 66967->66974 67057 6c7c0130 18 API calls 2 library calls 66968->67057 66972 6c7b6a43 std::_Facet_Register 4 API calls 66969->66972 66971 6c7b6a43 std::_Facet_Register 4 API calls 66970->66971 66971->66974 66972->66974 66975 6c7aaec0 FindFirstFileA 66974->66975 66977 6c645bad std::ios_base::_Ios_base_dtor 66975->66977 66976 6c7b4ff0 4 API calls 66986 6c6461cb _strlen 66976->66986 66977->66968 66977->66976 66980 6c649ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66977->66980 66978 6c7b6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66978->66980 66979 6c7aaec0 FindFirstFileA 66979->66980 66980->66968 66980->66978 66980->66979 66981 6c64a292 Sleep 66980->66981 66999 6c64e619 66980->66999 67000 6c649bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66981->67000 66982 6c646624 66985 6c7b6a43 std::_Facet_Register 4 API calls 66982->66985 66983 6c64660d 66984 6c7b6a43 std::_Facet_Register 4 API calls 66983->66984 66992 6c6465bc _Yarn _strlen 66984->66992 66985->66992 66986->66968 66986->66982 66986->66983 66986->66992 66987 6c7b4ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66987->67000 66988 6c6563b2 67058 6c6315e0 18 API calls std::ios_base::_Ios_base_dtor 66988->67058 66989 6c649bbd GetCurrentProcess TerminateProcess 66989->66980 66991 6c6564f8 66992->66988 66993 6c646970 66992->66993 66994 6c646989 66992->66994 66997 6c646920 _Yarn 66992->66997 66995 6c7b6a43 std::_Facet_Register 4 API calls 66993->66995 66996 6c7b6a43 std::_Facet_Register 4 API calls 66994->66996 66995->66997 66996->66997 66998 6c7b5960 104 API calls 66997->66998 67001 6c6469d6 std::ios_base::_Ios_base_dtor _strlen 66998->67001 67002 6c64f243 CreateFileA 66999->67002 67000->66968 67000->66980 67000->66987 67000->66988 67000->66989 67008 6c7b5960 104 API calls 67000->67008 67054 6c7b6a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 67000->67054 67001->66968 67003 6c646dd2 67001->67003 67004 6c646dbb 67001->67004 67017 6c646d69 _Yarn _strlen 67001->67017 67014 6c64f2a7 67002->67014 67006 6c7b6a43 std::_Facet_Register 4 API calls 67003->67006 67005 6c7b6a43 std::_Facet_Register 4 API calls 67004->67005 67005->67017 67006->67017 67007 6c6502ca 67008->67000 67009 6c647427 67011 6c7b6a43 std::_Facet_Register 4 API calls 67009->67011 67010 6c647440 67012 6c7b6a43 std::_Facet_Register 4 API calls 67010->67012 67013 6c6473da _Yarn 67011->67013 67012->67013 67015 6c7b5960 104 API calls 67013->67015 67014->67007 67016 6c6502ac GetCurrentProcess TerminateProcess 67014->67016 67018 6c64748d std::ios_base::_Ios_base_dtor _strlen 67015->67018 67016->67007 67017->66988 67017->67009 67017->67010 67017->67013 67018->66968 67019 6c647991 67018->67019 67020 6c6479a8 67018->67020 67027 6c647940 _Yarn _strlen 67018->67027 67021 6c7b6a43 std::_Facet_Register 4 API calls 67019->67021 67022 6c7b6a43 std::_Facet_Register 4 API calls 67020->67022 67021->67027 67022->67027 67023 6c647de2 67026 6c7b6a43 std::_Facet_Register 4 API calls 67023->67026 67024 6c647dc9 67025 6c7b6a43 std::_Facet_Register 4 API calls 67024->67025 67028 6c647d7c _Yarn 67025->67028 67026->67028 67027->66988 67027->67023 67027->67024 67027->67028 67029 6c7b5960 104 API calls 67028->67029 67030 6c647e2f std::ios_base::_Ios_base_dtor _strlen 67029->67030 67030->66968 67031 6c6485bf 67030->67031 67032 6c6485a8 67030->67032 67039 6c648556 _Yarn _strlen 67030->67039 67034 6c7b6a43 std::_Facet_Register 4 API calls 67031->67034 67033 6c7b6a43 std::_Facet_Register 4 API calls 67032->67033 67033->67039 67034->67039 67035 6c648983 67038 6c7b6a43 std::_Facet_Register 4 API calls 67035->67038 67036 6c64896a 67037 6c7b6a43 std::_Facet_Register 4 API calls 67036->67037 67040 6c64891d _Yarn 67037->67040 67038->67040 67039->66988 67039->67035 67039->67036 67039->67040 67041 6c7b5960 104 API calls 67040->67041 67044 6c6489d0 std::ios_base::_Ios_base_dtor _strlen 67041->67044 67042 6c648f36 67046 6c7b6a43 std::_Facet_Register 4 API calls 67042->67046 67043 6c648f1f 67045 6c7b6a43 std::_Facet_Register 4 API calls 67043->67045 67044->66968 67044->67042 67044->67043 67047 6c648ecd _Yarn _strlen 67044->67047 67045->67047 67046->67047 67047->66988 67048 6c649354 67047->67048 67049 6c64936d 67047->67049 67052 6c649307 _Yarn 67047->67052 67050 6c7b6a43 std::_Facet_Register 4 API calls 67048->67050 67051 6c7b6a43 std::_Facet_Register 4 API calls 67049->67051 67050->67052 67051->67052 67053 6c7b5960 104 API calls 67052->67053 67056 6c6493ba std::ios_base::_Ios_base_dtor 67053->67056 67054->67000 67055 6c7b4ff0 4 API calls 67055->66980 67056->66968 67056->67055 67058->66991 67059 6c64f150 67061 6c64efbe 67059->67061 67060 6c64f243 CreateFileA 67063 6c64f2a7 67060->67063 67061->67060 67062 6c6502ca 67063->67062 67064 6c6502ac GetCurrentProcess TerminateProcess 67063->67064 67064->67062 67065 6c7bef3f 67066 6c7bef4b __wsopen_s 67065->67066 67067 6c7bef5f 67066->67067 67068 6c7bef52 GetLastError ExitThread 67066->67068 67069 6c7c49b2 __Getctype 37 API calls 67067->67069 67070 6c7bef64 67069->67070 67077 6c7c9d66 67070->67077 67073 6c7bef7b 67083 6c7beeaa 16 API calls 2 library calls 67073->67083 67076 6c7bef9d 67078 6c7c9d78 GetPEB 67077->67078 67079 6c7bef6f 67077->67079 67078->67079 67080 6c7c9d8b 67078->67080 67079->67073 67082 6c7c6d6f 5 API calls std::_Lockit::_Lockit 67079->67082 67084 6c7c6e18 5 API calls std::_Lockit::_Lockit 67080->67084 67082->67073 67083->67076 67084->67079 67085 6c643b72 67086 6c7b6a43 std::_Facet_Register 4 API calls 67085->67086 67092 6c6437e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 67086->67092 67087 6c7aaec0 FindFirstFileA 67087->67092 67090 6c656ba0 104 API calls 67090->67092 67091 6c656e60 32 API calls 67091->67092 67092->67087 67092->67090 67092->67091 67093 6c657090 77 API calls 67092->67093 67094 6c67e010 67 API calls 67092->67094 67095 6c65639e 67092->67095 67093->67092 67094->67092 67098 6c7c0130 18 API calls 2 library calls 67095->67098 67099 6c7ccad3 67100 6c7ccafd 67099->67100 67101 6c7ccae5 __dosmaperr 67099->67101 67100->67101 67103 6c7ccb48 __dosmaperr 67100->67103 67104 6c7ccb77 67100->67104 67141 6c7c0120 18 API calls __fassign 67103->67141 67105 6c7ccb90 67104->67105 67106 6c7ccbab __dosmaperr 67104->67106 67109 6c7ccbe7 __wsopen_s 67104->67109 67105->67106 67108 6c7ccb95 67105->67108 67134 6c7c0120 18 API calls __fassign 67106->67134 67107 6c7d19e5 __wsopen_s 18 API calls 67110 6c7ccd3e 67107->67110 67108->67107 67135 6c7c47bb HeapFree GetLastError _free 67109->67135 67113 6c7ccdb4 67110->67113 67117 6c7ccd57 GetConsoleMode 67110->67117 67116 6c7ccdb8 ReadFile 67113->67116 67114 6c7ccc07 67136 6c7c47bb HeapFree GetLastError _free 67114->67136 67119 6c7cce2c GetLastError 67116->67119 67120 6c7ccdd2 67116->67120 67117->67113 67121 6c7ccd68 67117->67121 67118 6c7ccc0e 67122 6c7ccbc2 __dosmaperr __wsopen_s 67118->67122 67137 6c7cac69 20 API calls __wsopen_s 67118->67137 67119->67122 67120->67119 67123 6c7ccda9 67120->67123 67121->67116 67124 6c7ccd6e ReadConsoleW 67121->67124 67138 6c7c47bb HeapFree GetLastError _free 67122->67138 67123->67122 67128 6c7cce0e 67123->67128 67129 6c7ccdf7 67123->67129 67124->67123 67127 6c7ccd8a GetLastError 67124->67127 67127->67122 67128->67122 67131 6c7cce25 67128->67131 67139 6c7ccefe 23 API calls 3 library calls 67129->67139 67140 6c7cd1b6 21 API calls __wsopen_s 67131->67140 67133 6c7cce2a 67133->67122 67134->67122 67135->67114 67136->67118 67137->67108 67138->67101 67139->67122 67140->67133 67141->67101
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 33ef746c46d28c96e16b4bb474b095592f6d1b1c965e89251ca85e73edbbce62
                              • Instruction ID: 86eb74eb3cdef4ce1f8a880e16651d1a85ff0016cf794546f118fe5ba31b6d08
                              • Opcode Fuzzy Hash: 33ef746c46d28c96e16b4bb474b095592f6d1b1c965e89251ca85e73edbbce62
                              • Instruction Fuzzy Hash: 07741571644B018FC728CF28C8D06D5B7F3EF95318B19DA2DC0AA8BA55EB74B54ACB44
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: }jk$;T55$L@^
                              • API String ID: 0-4218709813
                              • Opcode ID: 41756269f30692aa142c610124dbf87ee3e28e5dd8e2cd1faee6372404b88412
                              • Instruction ID: 4ceb5e4987d867994ea24cda3a03ce9942aa4f35414922e3f09462902f1878f8
                              • Opcode Fuzzy Hash: 41756269f30692aa142c610124dbf87ee3e28e5dd8e2cd1faee6372404b88412
                              • Instruction Fuzzy Hash: 5A341971645B018FC728CF28C8D0A96B7E3EFC5318B19CA6DC0968BB55EB74B54ACB44

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7677 6c7b5240-6c7b5275 CreateToolhelp32Snapshot 7678 6c7b52a0-6c7b52a9 7677->7678 7679 6c7b52ab-6c7b52b0 7678->7679 7680 6c7b52e0-6c7b52e5 7678->7680 7681 6c7b52b2-6c7b52b7 7679->7681 7682 6c7b5315-6c7b531a 7679->7682 7683 6c7b52eb-6c7b52f0 7680->7683 7684 6c7b5377-6c7b53a1 call 6c7c2c05 7680->7684 7686 6c7b52b9-6c7b52be 7681->7686 7687 6c7b5334-6c7b535d call 6c7bb920 Process32FirstW 7681->7687 7690 6c7b5320-6c7b5332 Process32NextW 7682->7690 7691 6c7b53a6-6c7b53ab 7682->7691 7688 6c7b52f2-6c7b52f7 7683->7688 7689 6c7b5277-6c7b5292 CloseHandle 7683->7689 7684->7678 7686->7678 7694 6c7b52c0-6c7b52d1 7686->7694 7696 6c7b5362-6c7b5372 7687->7696 7688->7678 7695 6c7b52f9-6c7b5313 7688->7695 7689->7678 7690->7696 7691->7678 7693 6c7b53b1-6c7b53bf 7691->7693 7694->7678 7695->7678 7696->7678
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C7B524E
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: 7054737ebe3ad2b4e6daa2e2203786e741401c1683fef36805e7092d2d9a4dfe
                              • Instruction ID: e703e983933c7e92049e6144f96d942527de8355b9292908d6f5d1b08757899a
                              • Opcode Fuzzy Hash: 7054737ebe3ad2b4e6daa2e2203786e741401c1683fef36805e7092d2d9a4dfe
                              • Instruction Fuzzy Hash: 59318DB46093009FD7519F28D988B4ABBF4AF96758F50493EF488E7360D371D8488B93

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7821 6c633886-6c63388e 7822 6c633970-6c63397d 7821->7822 7823 6c633894-6c633896 7821->7823 7824 6c6339f1-6c6339f8 7822->7824 7825 6c63397f-6c633989 7822->7825 7823->7822 7826 6c63389c-6c6338b9 7823->7826 7828 6c633ab5-6c633aba 7824->7828 7829 6c6339fe-6c633a03 7824->7829 7825->7826 7827 6c63398f-6c633994 7825->7827 7830 6c6338c0-6c6338c1 7826->7830 7832 6c633b16-6c633b18 7827->7832 7833 6c63399a-6c63399f 7827->7833 7828->7826 7831 6c633ac0-6c633ac7 7828->7831 7834 6c6338d2-6c6338d4 7829->7834 7835 6c633a09-6c633a2f 7829->7835 7836 6c63395e 7830->7836 7831->7830 7838 6c633acd-6c633ad6 7831->7838 7832->7830 7839 6c6339a5-6c6339bf 7833->7839 7840 6c63383b-6c633855 call 6c781470 call 6c781480 7833->7840 7843 6c633957-6c63395c 7834->7843 7841 6c633a35-6c633a3a 7835->7841 7842 6c6338f8-6c633955 7835->7842 7837 6c633960-6c633964 7836->7837 7845 6c633860-6c633885 7837->7845 7846 6c63396a 7837->7846 7838->7832 7847 6c633ad8-6c633aeb 7838->7847 7848 6c633a5a-6c633a5d 7839->7848 7840->7845 7849 6c633a40-6c633a57 7841->7849 7850 6c633b1d-6c633b22 7841->7850 7842->7843 7843->7836 7845->7821 7852 6c633ba1-6c633bb6 7846->7852 7847->7842 7853 6c633af1-6c633af8 7847->7853 7857 6c633aa9-6c633ab0 7848->7857 7849->7848 7855 6c633b24-6c633b44 7850->7855 7856 6c633b49-6c633b50 7850->7856 7864 6c633bc0-6c633bda call 6c781470 call 6c781480 7852->7864 7859 6c633b62-6c633b85 7853->7859 7860 6c633afa-6c633aff 7853->7860 7855->7857 7856->7830 7863 6c633b56-6c633b5d 7856->7863 7857->7837 7859->7842 7867 6c633b8b 7859->7867 7860->7843 7863->7837 7872 6c633be0-6c633bfe 7864->7872 7867->7852 7875 6c633c04-6c633c11 7872->7875 7876 6c633e7b 7872->7876 7878 6c633ce0-6c633cea 7875->7878 7879 6c633c17-6c633c20 7875->7879 7877 6c633e81-6c633ee0 call 6c633750 GetCurrentThread NtSetInformationThread 7876->7877 7893 6c633eea-6c633f04 call 6c781470 call 6c781480 7877->7893 7882 6c633d3a-6c633d3c 7878->7882 7883 6c633cec-6c633d0c 7878->7883 7880 6c633c26-6c633c2d 7879->7880 7881 6c633dc5 7879->7881 7887 6c633dc3 7880->7887 7888 6c633c33-6c633c3a 7880->7888 7886 6c633dc6 7881->7886 7890 6c633d70-6c633d8d 7882->7890 7891 6c633d3e-6c633d45 7882->7891 7889 6c633d90-6c633d95 7883->7889 7898 6c633dc8-6c633dcc 7886->7898 7887->7881 7896 6c633c40-6c633c5b 7888->7896 7897 6c633e26-6c633e2b 7888->7897 7894 6c633d97-6c633db8 7889->7894 7895 6c633dba-6c633dc1 7889->7895 7890->7889 7892 6c633d50-6c633d57 7891->7892 7892->7886 7915 6c633f75-6c633fa1 7893->7915 7894->7881 7895->7887 7900 6c633dd7-6c633ddc 7895->7900 7901 6c633e1b-6c633e24 7896->7901 7902 6c633e31 7897->7902 7903 6c633c7b-6c633cd0 7897->7903 7898->7872 7904 6c633dd2 7898->7904 7907 6c633e36-6c633e3d 7900->7907 7908 6c633dde-6c633e17 7900->7908 7901->7898 7906 6c633e76-6c633e79 7901->7906 7902->7864 7903->7892 7904->7906 7906->7877 7911 6c633e3f-6c633e5a 7907->7911 7912 6c633e5c-6c633e5f 7907->7912 7908->7901 7911->7901 7912->7903 7914 6c633e65-6c633e69 7912->7914 7914->7898 7914->7906 7919 6c633fa3-6c633fa8 7915->7919 7920 6c634020-6c634026 7915->7920 7923 6c633fae-6c633fcf 7919->7923 7924 6c63407c-6c634081 7919->7924 7921 6c633f06-6c633f35 7920->7921 7922 6c63402c-6c63403c 7920->7922 7925 6c633f38-6c633f61 7921->7925 7926 6c6340b3-6c6340b8 7922->7926 7927 6c63403e-6c634058 7922->7927 7929 6c6340aa-6c6340ae 7923->7929 7928 6c634083-6c63408a 7924->7928 7924->7929 7930 6c633f64-6c633f67 7925->7930 7926->7923 7933 6c6340be-6c6340c9 7926->7933 7931 6c63405a-6c634063 7927->7931 7928->7925 7932 6c634090 7928->7932 7934 6c633f6b-6c633f6f 7929->7934 7935 6c633f69 7930->7935 7936 6c6340f5-6c63413f 7931->7936 7937 6c634069-6c63406c 7931->7937 7932->7893 7938 6c6340a7 7932->7938 7933->7929 7939 6c6340cb-6c6340d4 7933->7939 7934->7915 7935->7934 7936->7935 7942 6c634072-6c634077 7937->7942 7943 6c634144-6c63414b 7937->7943 7938->7929 7939->7938 7940 6c6340d6-6c6340f0 7939->7940 7940->7931 7942->7930 7943->7934
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: da5dc642548c6eaf92bb0cb1b725ad8fe32728d88a5c8c35653efc73b14671f5
                              • Instruction ID: 32f0d11a8595c4bf471b8819d74f1bd10880e628b4263f102e148288d36f1b6d
                              • Opcode Fuzzy Hash: da5dc642548c6eaf92bb0cb1b725ad8fe32728d88a5c8c35653efc73b14671f5
                              • Instruction Fuzzy Hash: AD320332245B118FC324CF28C8C06A6B7E3EFD13147699A6DC0EA4BA95D775B44BCB54

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7969 6c633a6a-6c633a85 7970 6c633a87-6c633aa7 7969->7970 7971 6c633aa9-6c633ab0 7970->7971 7972 6c633960-6c633964 7971->7972 7973 6c633860-6c63388e 7972->7973 7974 6c63396a 7972->7974 7984 6c633970-6c63397d 7973->7984 7985 6c633894-6c633896 7973->7985 7975 6c633ba1-6c633bb6 7974->7975 7978 6c633bc0-6c633bda call 6c781470 call 6c781480 7975->7978 7990 6c633be0-6c633bfe 7978->7990 7987 6c6339f1-6c6339f8 7984->7987 7988 6c63397f-6c633989 7984->7988 7985->7984 7989 6c63389c-6c6338b9 7985->7989 7992 6c633ab5-6c633aba 7987->7992 7993 6c6339fe-6c633a03 7987->7993 7988->7989 7991 6c63398f-6c633994 7988->7991 7994 6c6338c0-6c6338c1 7989->7994 8011 6c633c04-6c633c11 7990->8011 8012 6c633e7b 7990->8012 7997 6c633b16-6c633b18 7991->7997 7998 6c63399a-6c63399f 7991->7998 7992->7989 7995 6c633ac0-6c633ac7 7992->7995 7999 6c6338d2-6c6338d4 7993->7999 8000 6c633a09-6c633a2f 7993->8000 8001 6c63395e 7994->8001 7995->7994 8002 6c633acd-6c633ad6 7995->8002 7997->7994 8004 6c6339a5-6c6339bf 7998->8004 8005 6c63383b-6c633855 call 6c781470 call 6c781480 7998->8005 8008 6c633957-6c63395c 7999->8008 8006 6c633a35-6c633a3a 8000->8006 8007 6c6338f8-6c633955 8000->8007 8001->7972 8002->7997 8010 6c633ad8-6c633aeb 8002->8010 8013 6c633a5a-6c633a5d 8004->8013 8005->7973 8014 6c633a40-6c633a57 8006->8014 8015 6c633b1d-6c633b22 8006->8015 8007->8008 8008->8001 8010->8007 8018 6c633af1-6c633af8 8010->8018 8019 6c633ce0-6c633cea 8011->8019 8020 6c633c17-6c633c20 8011->8020 8017 6c633e81-6c633ee0 call 6c633750 GetCurrentThread NtSetInformationThread 8012->8017 8013->7971 8014->8013 8021 6c633b24-6c633b44 8015->8021 8022 6c633b49-6c633b50 8015->8022 8042 6c633eea-6c633f04 call 6c781470 call 6c781480 8017->8042 8024 6c633b62-6c633b85 8018->8024 8025 6c633afa-6c633aff 8018->8025 8029 6c633d3a-6c633d3c 8019->8029 8030 6c633cec-6c633d0c 8019->8030 8026 6c633c26-6c633c2d 8020->8026 8027 6c633dc5 8020->8027 8021->7970 8022->7994 8028 6c633b56-6c633b5d 8022->8028 8024->8007 8037 6c633b8b 8024->8037 8025->8008 8035 6c633dc3 8026->8035 8036 6c633c33-6c633c3a 8026->8036 8034 6c633dc6 8027->8034 8028->7972 8039 6c633d70-6c633d8d 8029->8039 8040 6c633d3e-6c633d45 8029->8040 8038 6c633d90-6c633d95 8030->8038 8047 6c633dc8-6c633dcc 8034->8047 8035->8027 8045 6c633c40-6c633c5b 8036->8045 8046 6c633e26-6c633e2b 8036->8046 8037->7975 8043 6c633d97-6c633db8 8038->8043 8044 6c633dba-6c633dc1 8038->8044 8039->8038 8041 6c633d50-6c633d57 8040->8041 8041->8034 8064 6c633f75-6c633fa1 8042->8064 8043->8027 8044->8035 8049 6c633dd7-6c633ddc 8044->8049 8050 6c633e1b-6c633e24 8045->8050 8051 6c633e31 8046->8051 8052 6c633c7b-6c633cd0 8046->8052 8047->7990 8053 6c633dd2 8047->8053 8056 6c633e36-6c633e3d 8049->8056 8057 6c633dde-6c633e17 8049->8057 8050->8047 8055 6c633e76-6c633e79 8050->8055 8051->7978 8052->8041 8053->8055 8055->8017 8060 6c633e3f-6c633e5a 8056->8060 8061 6c633e5c-6c633e5f 8056->8061 8057->8050 8060->8050 8061->8052 8063 6c633e65-6c633e69 8061->8063 8063->8047 8063->8055 8068 6c633fa3-6c633fa8 8064->8068 8069 6c634020-6c634026 8064->8069 8072 6c633fae-6c633fcf 8068->8072 8073 6c63407c-6c634081 8068->8073 8070 6c633f06-6c633f35 8069->8070 8071 6c63402c-6c63403c 8069->8071 8074 6c633f38-6c633f61 8070->8074 8075 6c6340b3-6c6340b8 8071->8075 8076 6c63403e-6c634058 8071->8076 8078 6c6340aa-6c6340ae 8072->8078 8077 6c634083-6c63408a 8073->8077 8073->8078 8079 6c633f64-6c633f67 8074->8079 8075->8072 8082 6c6340be-6c6340c9 8075->8082 8080 6c63405a-6c634063 8076->8080 8077->8074 8081 6c634090 8077->8081 8083 6c633f6b-6c633f6f 8078->8083 8084 6c633f69 8079->8084 8085 6c6340f5-6c63413f 8080->8085 8086 6c634069-6c63406c 8080->8086 8081->8042 8087 6c6340a7 8081->8087 8082->8078 8088 6c6340cb-6c6340d4 8082->8088 8083->8064 8084->8083 8085->8084 8091 6c634072-6c634077 8086->8091 8092 6c634144-6c63414b 8086->8092 8087->8078 8088->8087 8089 6c6340d6-6c6340f0 8088->8089 8089->8080 8091->8079 8092->8083
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: d793962f192c712eb317e755d40f714118a7d847a30565a9f21a3b4f0e8f94ce
                              • Instruction ID: 7b751cb9f3b5fcaf1b08e7d4ed288f9dcf71ef5b8acf0c439d0428f36432f47a
                              • Opcode Fuzzy Hash: d793962f192c712eb317e755d40f714118a7d847a30565a9f21a3b4f0e8f94ce
                              • Instruction Fuzzy Hash: 8D51F031105B118FC320CF28C8847D5B7E3BF91314F69AA6DC0EA1BA95DB79B44B8B85
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: ee5f5162bf21d34888a33b87c743744e319fa8fac667b706e606a4952f2e7fa4
                              • Instruction ID: 0ebcabb94689490263bd7176810bdbdd0efa578e701d08f281e8661a725ab02b
                              • Opcode Fuzzy Hash: ee5f5162bf21d34888a33b87c743744e319fa8fac667b706e606a4952f2e7fa4
                              • Instruction Fuzzy Hash: 9C51E131504B218BC320CF28C4807D5B7E3BF95314F69AA6DC0EA5BA95DB75B44B8B94
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C633E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C633EAA
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: e9974abaf5932ece2b8b1b79bc34135cf3ddfa5bda68beb2f6c037e438a3f972
                              • Instruction ID: 19b6a84b1dbeefc673ce8c0abbd98c7e71d0ab4e454ff24f9db33a76e60b4672
                              • Opcode Fuzzy Hash: e9974abaf5932ece2b8b1b79bc34135cf3ddfa5bda68beb2f6c037e438a3f972
                              • Instruction Fuzzy Hash: AB313831205B11CFC320CF24C8847D6BBA3AF96314F596E6DC0AA5BA91DBB9700ACB55
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C633E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C633EAA
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 84f480fb9bb830b07a8b6b295f333df2602b7ec0936a5bdedf5eda5b01a7b552
                              • Instruction ID: eddcf281ee65abf9d43990df716d798b359692d7d99971f1c0f6f16398ea7cd6
                              • Opcode Fuzzy Hash: 84f480fb9bb830b07a8b6b295f333df2602b7ec0936a5bdedf5eda5b01a7b552
                              • Instruction Fuzzy Hash: B7312331104B118BC720CF28C4947E6BBF2AF92308F656E6DC0EE5BA85DBB57406CB95
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C633E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C633EAA
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: eb4e491c2a84219f2877a47314b6d596ddd13a97dc2926b0f050019fee23f759
                              • Instruction ID: e0e17a28816ca5fc6f8e7628fd966decffdc25a43659ee65f8e4402fbc694ba3
                              • Opcode Fuzzy Hash: eb4e491c2a84219f2877a47314b6d596ddd13a97dc2926b0f050019fee23f759
                              • Instruction Fuzzy Hash: F421F730218B118BD724CF24C8947E6BBB2AF82308F546A2DC0BE4BA91DBB57405CB55
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C7B5130
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ManagerOpen
                              • String ID:
                              • API String ID: 1889721586-0
                              • Opcode ID: 5945863e8c8bd29207118839edb1e4a90e8c2c7c4fb144ea69d1dba2fdd37c11
                              • Instruction ID: 87f7b93f936b6a15a4d81226f7bbedc217519b92a407ea67fc500b63865cec81
                              • Opcode Fuzzy Hash: 5945863e8c8bd29207118839edb1e4a90e8c2c7c4fb144ea69d1dba2fdd37c11
                              • Instruction Fuzzy Hash: 3F3149B4608306EFC7518F28D645A0ABBF4ABCA758F50896AF888D6360C331C845DB57
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C7AAEDC
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: fc2f3b8918c18965bec985acfd7d2a82419202364f8c865d650649bfd0369ce8
                              • Instruction ID: 71e3839a957aa26753a051cea68de5fc9122c2f498d309346e51bc9ea0adb25a
                              • Opcode Fuzzy Hash: fc2f3b8918c18965bec985acfd7d2a82419202364f8c865d650649bfd0369ce8
                              • Instruction Fuzzy Hash: 67113AB45093509FD7148B68D64450EBBE4BF8A324F148E69F4A8CB691D330CC498F66
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C78ABA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                              • API String ID: 2738559852-1563143607
                              • Opcode ID: d303100c6991886da40dffd4b1e54e1401865427909787678d0b9ee62be631e4
                              • Instruction ID: 4ce4718fe4dfdbb727cae38a28ccebf7b5198183b00439da63309154ae691880
                              • Opcode Fuzzy Hash: d303100c6991886da40dffd4b1e54e1401865427909787678d0b9ee62be631e4
                              • Instruction Fuzzy Hash: 3F625C7060E3818FC724CF18C590A5ABBE2AFD9714F148D2EE6A9CB791D735E8458B43

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6824 6c7ccad3-6c7ccae3 6825 6c7ccafd-6c7ccaff 6824->6825 6826 6c7ccae5-6c7ccaf8 call 6c7bf9df call 6c7bf9cc 6824->6826 6827 6c7cce64-6c7cce71 call 6c7bf9df call 6c7bf9cc 6825->6827 6828 6c7ccb05-6c7ccb0b 6825->6828 6840 6c7cce7c 6826->6840 6845 6c7cce77 call 6c7c0120 6827->6845 6828->6827 6830 6c7ccb11-6c7ccb37 6828->6830 6830->6827 6834 6c7ccb3d-6c7ccb46 6830->6834 6837 6c7ccb48-6c7ccb5b call 6c7bf9df call 6c7bf9cc 6834->6837 6838 6c7ccb60-6c7ccb62 6834->6838 6837->6845 6843 6c7ccb68-6c7ccb6b 6838->6843 6844 6c7cce60-6c7cce62 6838->6844 6846 6c7cce7f-6c7cce82 6840->6846 6843->6844 6848 6c7ccb71-6c7ccb75 6843->6848 6844->6846 6845->6840 6848->6837 6851 6c7ccb77-6c7ccb8e 6848->6851 6853 6c7ccbdf-6c7ccbe5 6851->6853 6854 6c7ccb90-6c7ccb93 6851->6854 6855 6c7ccbab-6c7ccbc2 call 6c7bf9df call 6c7bf9cc call 6c7c0120 6853->6855 6856 6c7ccbe7-6c7ccbf1 6853->6856 6857 6c7ccb95-6c7ccb9e 6854->6857 6858 6c7ccba3-6c7ccba9 6854->6858 6890 6c7ccd97 6855->6890 6861 6c7ccbf8-6c7ccc16 call 6c7c47f5 call 6c7c47bb * 2 6856->6861 6862 6c7ccbf3-6c7ccbf5 6856->6862 6863 6c7ccc63-6c7ccc73 6857->6863 6858->6855 6859 6c7ccbc7-6c7ccbda 6858->6859 6859->6863 6894 6c7ccc18-6c7ccc2e call 6c7bf9cc call 6c7bf9df 6861->6894 6895 6c7ccc33-6c7ccc5c call 6c7cac69 6861->6895 6862->6861 6865 6c7ccd38-6c7ccd41 call 6c7d19e5 6863->6865 6866 6c7ccc79-6c7ccc85 6863->6866 6877 6c7ccdb4 6865->6877 6878 6c7ccd43-6c7ccd55 6865->6878 6866->6865 6870 6c7ccc8b-6c7ccc8d 6866->6870 6870->6865 6874 6c7ccc93-6c7cccb7 6870->6874 6874->6865 6879 6c7cccb9-6c7ccccf 6874->6879 6882 6c7ccdb8-6c7ccdd0 ReadFile 6877->6882 6878->6877 6884 6c7ccd57-6c7ccd66 GetConsoleMode 6878->6884 6879->6865 6885 6c7cccd1-6c7cccd3 6879->6885 6888 6c7cce2c-6c7cce37 GetLastError 6882->6888 6889 6c7ccdd2-6c7ccdd8 6882->6889 6884->6877 6891 6c7ccd68-6c7ccd6c 6884->6891 6885->6865 6886 6c7cccd5-6c7cccfb 6885->6886 6886->6865 6893 6c7cccfd-6c7ccd13 6886->6893 6896 6c7cce39-6c7cce4b call 6c7bf9cc call 6c7bf9df 6888->6896 6897 6c7cce50-6c7cce53 6888->6897 6889->6888 6898 6c7ccdda 6889->6898 6892 6c7ccd9a-6c7ccda4 call 6c7c47bb 6890->6892 6891->6882 6899 6c7ccd6e-6c7ccd88 ReadConsoleW 6891->6899 6892->6846 6893->6865 6901 6c7ccd15-6c7ccd17 6893->6901 6894->6890 6895->6863 6896->6890 6908 6c7cce59-6c7cce5b 6897->6908 6909 6c7ccd90-6c7ccd96 call 6c7bf9f2 6897->6909 6905 6c7ccddd-6c7ccdef 6898->6905 6906 6c7ccda9-6c7ccdb2 6899->6906 6907 6c7ccd8a GetLastError 6899->6907 6901->6865 6911 6c7ccd19-6c7ccd33 6901->6911 6905->6892 6915 6c7ccdf1-6c7ccdf5 6905->6915 6906->6905 6907->6909 6908->6892 6909->6890 6911->6865 6919 6c7cce0e-6c7cce19 6915->6919 6920 6c7ccdf7-6c7cce07 call 6c7ccefe 6915->6920 6925 6c7cce1b call 6c7cce83 6919->6925 6926 6c7cce25-6c7cce2a call 6c7cd1b6 6919->6926 6932 6c7cce0a-6c7cce0c 6920->6932 6930 6c7cce20-6c7cce23 6925->6930 6926->6930 6930->6932 6932->6892
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 757d3707cd355d2209f43cd4dd3e7bd92084cf9c8e6d33168d0c0727e92f4984
                              • Instruction ID: 2da4b9fadff74bb49393a98dd6a1e781f18411f479caf220f3b6544b76c79461
                              • Opcode Fuzzy Hash: 757d3707cd355d2209f43cd4dd3e7bd92084cf9c8e6d33168d0c0727e92f4984
                              • Instruction Fuzzy Hash: 8DC11774F0424AAFDF01DFA8CA84BADBFB4AF0A319F144169E410A7B41C7719945CB66

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6933 6c7d406c-6c7d409c call 6c7d44ec 6936 6c7d409e-6c7d40a9 call 6c7bf9df 6933->6936 6937 6c7d40b7-6c7d40c3 call 6c7d160c 6933->6937 6944 6c7d40ab-6c7d40b2 call 6c7bf9cc 6936->6944 6942 6c7d40dc-6c7d4125 call 6c7d4457 6937->6942 6943 6c7d40c5-6c7d40da call 6c7bf9df call 6c7bf9cc 6937->6943 6953 6c7d4127-6c7d4130 6942->6953 6954 6c7d4192-6c7d419b GetFileType 6942->6954 6943->6944 6951 6c7d4391-6c7d4395 6944->6951 6958 6c7d4167-6c7d418d GetLastError call 6c7bf9f2 6953->6958 6959 6c7d4132-6c7d4136 6953->6959 6955 6c7d419d-6c7d41ce GetLastError call 6c7bf9f2 CloseHandle 6954->6955 6956 6c7d41e4-6c7d41e7 6954->6956 6955->6944 6970 6c7d41d4-6c7d41df call 6c7bf9cc 6955->6970 6962 6c7d41e9-6c7d41ee 6956->6962 6963 6c7d41f0-6c7d41f6 6956->6963 6958->6944 6959->6958 6964 6c7d4138-6c7d4165 call 6c7d4457 6959->6964 6967 6c7d41fa-6c7d4248 call 6c7d17b0 6962->6967 6963->6967 6968 6c7d41f8 6963->6968 6964->6954 6964->6958 6975 6c7d424a-6c7d4256 call 6c7d4666 6967->6975 6976 6c7d4267-6c7d428f call 6c7d4710 6967->6976 6968->6967 6970->6944 6975->6976 6982 6c7d4258 6975->6982 6983 6c7d4294-6c7d42d5 6976->6983 6984 6c7d4291-6c7d4292 6976->6984 6985 6c7d425a-6c7d4262 call 6c7cb925 6982->6985 6986 6c7d42d7-6c7d42db 6983->6986 6987 6c7d42f6-6c7d4304 6983->6987 6984->6985 6985->6951 6986->6987 6991 6c7d42dd-6c7d42f1 6986->6991 6988 6c7d438f 6987->6988 6989 6c7d430a-6c7d430e 6987->6989 6988->6951 6989->6988 6992 6c7d4310-6c7d4343 CloseHandle call 6c7d4457 6989->6992 6991->6987 6996 6c7d4345-6c7d4371 GetLastError call 6c7bf9f2 call 6c7d171f 6992->6996 6997 6c7d4377-6c7d438b 6992->6997 6996->6997 6997->6988
                              APIs
                                • Part of subcall function 6C7D4457: CreateFileW.KERNEL32(00000000,00000000,?,6C7D4115,?,?,00000000,?,6C7D4115,00000000,0000000C), ref: 6C7D4474
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7D4180
                              • __dosmaperr.LIBCMT ref: 6C7D4187
                              • GetFileType.KERNEL32(00000000), ref: 6C7D4193
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C7D419D
                              • __dosmaperr.LIBCMT ref: 6C7D41A6
                              • CloseHandle.KERNEL32(00000000), ref: 6C7D41C6
                              • CloseHandle.KERNEL32(6C7CB0D0), ref: 6C7D4313
                              • GetLastError.KERNEL32 ref: 6C7D4345
                              • __dosmaperr.LIBCMT ref: 6C7D434C
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: d78887c7dfbac650f49e349e41eee1a575dbe4968eaea77aa457c8b5b7c43785
                              • Instruction ID: 077e229ed13a4fb20be2593681172fec1310ae22bc49fd7f8f9460753a7f7ddf
                              • Opcode Fuzzy Hash: d78887c7dfbac650f49e349e41eee1a575dbe4968eaea77aa457c8b5b7c43785
                              • Instruction Fuzzy Hash: 60A15832A041449FCF09CF78C9597AE7BB1AF4B328F194269E811EF790CB35A806DB51

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7002 6c78c1e0-6c78c239 call 6c7b6b70 7005 6c78c260-6c78c269 7002->7005 7006 6c78c26b-6c78c270 7005->7006 7007 6c78c2b0-6c78c2b5 7005->7007 7008 6c78c2f0-6c78c2f5 7006->7008 7009 6c78c272-6c78c277 7006->7009 7010 6c78c330-6c78c335 7007->7010 7011 6c78c2b7-6c78c2bc 7007->7011 7018 6c78c2fb-6c78c300 7008->7018 7019 6c78c431-6c78c448 WriteFile 7008->7019 7014 6c78c27d-6c78c282 7009->7014 7015 6c78c372-6c78c3df WriteFile 7009->7015 7012 6c78c489-6c78c4b9 call 6c7bb3a0 7010->7012 7013 6c78c33b-6c78c340 7010->7013 7016 6c78c2c2-6c78c2c7 7011->7016 7017 6c78c407-6c78c41b 7011->7017 7012->7005 7021 6c78c4be-6c78c4c3 7013->7021 7022 6c78c346-6c78c36d 7013->7022 7023 6c78c288-6c78c28d 7014->7023 7024 6c78c3e9-6c78c3fd WriteFile 7014->7024 7015->7024 7026 6c78c23b-6c78c250 7016->7026 7027 6c78c2cd-6c78c2d2 7016->7027 7025 6c78c41f-6c78c42c 7017->7025 7028 6c78c452-6c78c47f call 6c7bb920 ReadFile 7018->7028 7029 6c78c306-6c78c30b 7018->7029 7019->7028 7021->7005 7033 6c78c4c9-6c78c4d7 7021->7033 7031 6c78c253-6c78c258 7022->7031 7023->7005 7034 6c78c28f-6c78c2aa 7023->7034 7024->7017 7025->7005 7026->7031 7027->7005 7035 6c78c2d4-6c78c2e7 7027->7035 7028->7012 7029->7005 7030 6c78c311-6c78c32b 7029->7030 7030->7025 7031->7005 7034->7031 7035->7031
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: :uW$;uW$;uW$> 4!$> 4!
                              • API String ID: 0-4100612575
                              • Opcode ID: 4914bdc44ae117a4faac5dfe211340df65d1976e7a51825e4fcf8082be744eef
                              • Instruction ID: 067513532343ea36e9e062d1c4f777c7908afd11e35c8392842daf95439f1f6e
                              • Opcode Fuzzy Hash: 4914bdc44ae117a4faac5dfe211340df65d1976e7a51825e4fcf8082be744eef
                              • Instruction Fuzzy Hash: 07716EB02093459FD710DF54C580B5ABBE4FF8A709F108A3EF698D6650D371D8589B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: K?Jo$K?Jo$`Rlx$7eO
                              • API String ID: 0-174837320
                              • Opcode ID: 04797e77253e218d8c06333c79e58bb129616aeb9e7b8b0fba78a9ca8bed30f8
                              • Instruction ID: ba8c12577788029b601f321423ceb0268066e3908288eaf62eaf5fee0c87fb8d
                              • Opcode Fuzzy Hash: 04797e77253e218d8c06333c79e58bb129616aeb9e7b8b0fba78a9ca8bed30f8
                              • Instruction Fuzzy Hash: B3428B7460A381DFCB54CF29C990A1ABBE2AFC9314F249D2EE69587B20D734E445CB53
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: 6b58fc113ab39f5df9349fe8c721ee6cb28530002a5343f6176a4d5d9ae26893
                              • Instruction ID: 778062063f2608983bc371f27897f2dd89179f64c28aacc7f8235df7c5f47b99
                              • Opcode Fuzzy Hash: 6b58fc113ab39f5df9349fe8c721ee6cb28530002a5343f6176a4d5d9ae26893
                              • Instruction Fuzzy Hash: 29030431645B018FC728CF28C8D0696B7E3EFD5328719CB2DC0AA4BA95DB74B44ACB55

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7579 6c7b4ff0-6c7b5077 CreateProcessA 7580 6c7b50ca-6c7b50d3 7579->7580 7581 6c7b50f0-6c7b510b 7580->7581 7582 6c7b50d5-6c7b50da 7580->7582 7581->7580 7583 6c7b50dc-6c7b50e1 7582->7583 7584 6c7b5080-6c7b50c2 WaitForSingleObject CloseHandle * 2 7582->7584 7583->7580 7585 6c7b50e3-6c7b5118 7583->7585 7584->7580
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: D
                              • API String ID: 963392458-2746444292
                              • Opcode ID: 05e60addf816329b8b1e08408034ba26a9fbf984199f46ba926d1f0209bea490
                              • Instruction ID: 039b76dd7a62185e8e03bee6cb8c2720635693b42b036e9b2947063dde9a1a16
                              • Opcode Fuzzy Hash: 05e60addf816329b8b1e08408034ba26a9fbf984199f46ba926d1f0209bea490
                              • Instruction Fuzzy Hash: A431E2708097408FD750DF28D29872ABBF0EBDA318F505A1DF49996250E7759588CF87

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7587 6c7cbc5e-6c7cbc7a 7588 6c7cbe39 7587->7588 7589 6c7cbc80-6c7cbc82 7587->7589 7590 6c7cbe3b-6c7cbe3f 7588->7590 7591 6c7cbca4-6c7cbcc5 7589->7591 7592 6c7cbc84-6c7cbc97 call 6c7bf9df call 6c7bf9cc call 6c7c0120 7589->7592 7594 6c7cbccc-6c7cbcd2 7591->7594 7595 6c7cbcc7-6c7cbcca 7591->7595 7609 6c7cbc9c-6c7cbc9f 7592->7609 7594->7592 7596 6c7cbcd4-6c7cbcd9 7594->7596 7595->7594 7595->7596 7598 6c7cbcea-6c7cbcfb call 6c7cbe40 7596->7598 7599 6c7cbcdb-6c7cbce7 call 6c7cac69 7596->7599 7607 6c7cbd3c-6c7cbd4e 7598->7607 7608 6c7cbcfd-6c7cbcff 7598->7608 7599->7598 7610 6c7cbd95-6c7cbdb7 WriteFile 7607->7610 7611 6c7cbd50-6c7cbd59 7607->7611 7612 6c7cbd26-6c7cbd32 call 6c7cbeb1 7608->7612 7613 6c7cbd01-6c7cbd09 7608->7613 7609->7590 7618 6c7cbdb9-6c7cbdbf GetLastError 7610->7618 7619 6c7cbdc2 7610->7619 7614 6c7cbd5b-6c7cbd5e 7611->7614 7615 6c7cbd85-6c7cbd93 call 6c7cc2c3 7611->7615 7627 6c7cbd37-6c7cbd3a 7612->7627 7616 6c7cbd0f-6c7cbd1c call 6c7cc25b 7613->7616 7617 6c7cbdcb-6c7cbdce 7613->7617 7623 6c7cbd75-6c7cbd83 call 6c7cc487 7614->7623 7624 6c7cbd60-6c7cbd63 7614->7624 7615->7627 7628 6c7cbd1f-6c7cbd21 7616->7628 7622 6c7cbdd1-6c7cbdd6 7617->7622 7618->7619 7621 6c7cbdc5-6c7cbdca 7619->7621 7621->7617 7629 6c7cbdd8-6c7cbddd 7622->7629 7630 6c7cbe34-6c7cbe37 7622->7630 7623->7627 7624->7622 7631 6c7cbd65-6c7cbd73 call 6c7cc39e 7624->7631 7627->7628 7628->7621 7635 6c7cbddf-6c7cbde4 7629->7635 7636 6c7cbe09-6c7cbe15 7629->7636 7630->7590 7631->7627 7639 6c7cbdfd-6c7cbe04 call 6c7bf9f2 7635->7639 7640 6c7cbde6-6c7cbdf8 call 6c7bf9cc call 6c7bf9df 7635->7640 7642 6c7cbe1c-6c7cbe2f call 6c7bf9cc call 6c7bf9df 7636->7642 7643 6c7cbe17-6c7cbe1a 7636->7643 7639->7609 7640->7609 7642->7609 7643->7588 7643->7642
                              APIs
                                • Part of subcall function 6C7CBEB1: GetConsoleCP.KERNEL32(?,6C7CB0D0,?), ref: 6C7CBEF9
                              • WriteFile.KERNEL32(?,?,6C7D46EC,00000000,00000000,?,00000000,00000000,6C7D5AB6,00000000,00000000,?,00000000,6C7CB0D0,6C7D46EC,00000000), ref: 6C7CBDAF
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C7D46EC,6C7CB0D0,00000000,?,?,?,?,00000000,?), ref: 6C7CBDB9
                              • __dosmaperr.LIBCMT ref: 6C7CBDFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: 7b39e18c50eae5b6d915b511bc5eae0bd8c84d48d782a0e71f2b2bffaabd2a90
                              • Instruction ID: 077e35427226e5b17d54c2096e0054dfab99b54902fb52b6da897a9abaa18fa0
                              • Opcode Fuzzy Hash: 7b39e18c50eae5b6d915b511bc5eae0bd8c84d48d782a0e71f2b2bffaabd2a90
                              • Instruction Fuzzy Hash: A151E675B0020BAFDB01DFB8CA49BEEBB79EF0A718F140461F510A7A51D730A945C7A2

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7654 6c7b5b90-6c7b5b9c 7655 6c7b5b9e-6c7b5ba9 7654->7655 7656 6c7b5bdd 7654->7656 7657 6c7b5bab-6c7b5bbd 7655->7657 7658 6c7b5bbf-6c7b5bcc call 6c6801f0 call 6c7c0b18 7655->7658 7659 6c7b5bdf-6c7b5c57 7656->7659 7657->7658 7668 6c7b5bd1-6c7b5bdb 7658->7668 7660 6c7b5c59-6c7b5c81 7659->7660 7661 6c7b5c83-6c7b5c89 7659->7661 7660->7661 7663 6c7b5c8a-6c7b5d49 call 6c682250 call 6c682340 call 6c7b9379 call 6c67e010 call 6c7b7088 7660->7663 7668->7659
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C7B5D31
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: 9641cef81e73100d25ac9aa6cb9135671550cabdc5da146cd6e6cdf48f314447
                              • Instruction ID: 59a6a745aa9010556903581bc8429c3d093849c4e1cc338e1860de8eefa60849
                              • Opcode Fuzzy Hash: 9641cef81e73100d25ac9aa6cb9135671550cabdc5da146cd6e6cdf48f314447
                              • Instruction Fuzzy Hash: 2B5143B5900B008FD725CF29C995B97BBF1FB88318F108A2DD8865BB91D775B909CB90

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7699 6c7cb925-6c7cb939 call 6c7d15a2 7702 6c7cb93f-6c7cb947 7699->7702 7703 6c7cb93b-6c7cb93d 7699->7703 7705 6c7cb949-6c7cb950 7702->7705 7706 6c7cb952-6c7cb955 7702->7706 7704 6c7cb98d-6c7cb9ad call 6c7d171f 7703->7704 7714 6c7cb9af-6c7cb9b9 call 6c7bf9f2 7704->7714 7715 6c7cb9bb 7704->7715 7705->7706 7708 6c7cb95d-6c7cb971 call 6c7d15a2 * 2 7705->7708 7709 6c7cb957-6c7cb95b 7706->7709 7710 6c7cb973-6c7cb983 call 6c7d15a2 CloseHandle 7706->7710 7708->7703 7708->7710 7709->7708 7709->7710 7710->7703 7721 6c7cb985-6c7cb98b GetLastError 7710->7721 7719 6c7cb9bd-6c7cb9c0 7714->7719 7715->7719 7721->7704
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C7D425F), ref: 6C7CB97B
                              • GetLastError.KERNEL32(?,00000000,?,6C7D425F), ref: 6C7CB985
                              • __dosmaperr.LIBCMT ref: 6C7CB9B0
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 5166734577c85417f385b93bd3efa12f3871acdec2e105b3e787b27b0e2d3124
                              • Instruction ID: 07abe0b108ce122cc9efcea071e60ea51471bc42ab75701b4c0ac4f36e2de6f0
                              • Opcode Fuzzy Hash: 5166734577c85417f385b93bd3efa12f3871acdec2e105b3e787b27b0e2d3124
                              • Instruction Fuzzy Hash: 1A014833B451219FC611067A974D79E3B654F83B3CF2A0369F81687AC0CB61F8898292

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7944 6c7c0b9c-6c7c0ba7 7945 6c7c0bbe-6c7c0bcb 7944->7945 7946 6c7c0ba9-6c7c0bbc call 6c7bf9cc call 6c7c0120 7944->7946 7948 6c7c0bcd-6c7c0be2 call 6c7c0cb9 call 6c7c873e call 6c7c9c60 call 6c7cb898 7945->7948 7949 6c7c0c06-6c7c0c0f call 6c7cae75 7945->7949 7957 6c7c0c10-6c7c0c12 7946->7957 7963 6c7c0be7-6c7c0bec 7948->7963 7949->7957 7964 6c7c0bee-6c7c0bf1 7963->7964 7965 6c7c0bf3-6c7c0bf7 7963->7965 7964->7949 7965->7949 7966 6c7c0bf9-6c7c0c05 call 6c7c47bb 7965->7966 7966->7949
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: d1521ca9d6ed7517a9bd6c10c33c9891ec03f29ba3ff07f7b0855960948a17ec
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: 42F0ADB67016566EC6311E3A8F0CADA36989F5237CF100715E86092AD0DB70940A86E3
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C7B5AB4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C7B5AF4
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: 27d1e74daf21d532288ae5089d17e1198f359adc2010ad4e2c5ca87c162013d0
                              • Instruction ID: 700f472e0618d61eaff3d9e377deeb0302e8c53a46b1839cce672ac11dc52c94
                              • Opcode Fuzzy Hash: 27d1e74daf21d532288ae5089d17e1198f359adc2010ad4e2c5ca87c162013d0
                              • Instruction Fuzzy Hash: 93514571101B00DBE725CF24C989BE6BBE4BB05718F448A1CE4AA5BBA1DB30B548CB80
                              APIs
                              • GetLastError.KERNEL32(6C7E6DD8,0000000C), ref: 6C7BEF52
                              • ExitThread.KERNEL32 ref: 6C7BEF59
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 2714b6f1ec35ab792fdee3efe49efc9f558214334db95f064f8931487dde139b
                              • Instruction ID: a8e37dd3a2ecd7d6c00cabeaaaf0b76228cd60a27a13764092cf34854624fddb
                              • Opcode Fuzzy Hash: 2714b6f1ec35ab792fdee3efe49efc9f558214334db95f064f8931487dde139b
                              • Instruction Fuzzy Hash: 64F0C2B2A00609AFDF049FB0C60DAAE3B74FF45318F144699E405A7B50CB349A05DBA2
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 02c7d79f9b6fc060145b3c9a7d2dd8d22b64cdd1d144dab2f867b8f735db7897
                              • Instruction ID: 2fa982062b62a8b488ca1befac0b9f6f023afb1216f1c7bcec3371f1b74b49b2
                              • Opcode Fuzzy Hash: 02c7d79f9b6fc060145b3c9a7d2dd8d22b64cdd1d144dab2f867b8f735db7897
                              • Instruction Fuzzy Hash: AF114C71A0420EAFCF05CF59E94599B7BF8EF89318F154069F805AB301D671E911CBA5
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: a8052f6bb848e9b1b80fb4ff5ac67ebeb10da25c98de450128d00043cf619058
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: 70014F72D01159BFCF019FA8CE099EE7FB5AF08314F1541A5ED24E26A0E7319A24EB91
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6C7D4115,?,?,00000000,?,6C7D4115,00000000,0000000C), ref: 6C7D4474
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: cd61e296575fc5c0ab68013c2e7ded51405388bbe05d7821cd416183d0213fb7
                              • Instruction ID: ca0233a4e6a2c7c7c1587d777d86393361c97674e4ba54a4d3c5e7a7aaeb9e57
                              • Opcode Fuzzy Hash: cd61e296575fc5c0ab68013c2e7ded51405388bbe05d7821cd416183d0213fb7
                              • Instruction Fuzzy Hash: CAD06C3210010DBBDF029F84DC06EDA3BAAFB8C714F014010BA1896020C732E861AB94
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: a0ec8b4dbb89aa8b122b453a590b150c71aaa8962d66665afc1be00cba1e91fe
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: g)''
                              • API String ID: 4218353326-3487984327
                              • Opcode ID: 21208dd9c6241b52c39521e4f934649b7ce7d465a86605b053e1398c13d1f991
                              • Instruction ID: 11c8932d05050579d5debd5894a7f896100b204d653018455f7db017f37a9403
                              • Opcode Fuzzy Hash: 21208dd9c6241b52c39521e4f934649b7ce7d465a86605b053e1398c13d1f991
                              • Instruction Fuzzy Hash: F4630431645B018FC728CF28C9D0A95B7F3BFD53187198A6DC0EA5BA59EB74B44ACB40
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 6C7B5D6A
                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C7B5D76
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C7B5D84
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C7B5DAB
                              • NtInitiatePowerAction.NTDLL ref: 6C7B5DBF
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3256374457-3733053543
                              • Opcode ID: 85d03ccd315b2139987dc86bbbec79a9bbeda70d06d3db2aa1ef7752a34239a5
                              • Instruction ID: ed7c1b3655899bd76693de8ee5dd668d4d098111e5066ba122ce2f26b4a52e06
                              • Opcode Fuzzy Hash: 85d03ccd315b2139987dc86bbbec79a9bbeda70d06d3db2aa1ef7752a34239a5
                              • Instruction Fuzzy Hash: F4F0B470644300BBEA106B24DE0FB9A7BB4EFC5705F014628F945A60D1E7706998CBD6
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: \j`7$\j`7$j
                              • API String ID: 0-3644614255
                              • Opcode ID: 87e2480f1bef3d0dc6c1f53789074b93e084c651fc949edbf7b66180cd443fa0
                              • Instruction ID: e63645eb99b498b13bcffb961c7cccd6fee9bc7c219a92d5adc0fc96066a5f5b
                              • Opcode Fuzzy Hash: 87e2480f1bef3d0dc6c1f53789074b93e084c651fc949edbf7b66180cd443fa0
                              • Instruction Fuzzy Hash: BE424374609392CFCB24CF28C48165ABBE1BBC9314F146A2EE499CB7A1D334D945CB57
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C816CE5
                                • Part of subcall function 6C7ECC2A: __EH_prolog.LIBCMT ref: 6C7ECC2F
                                • Part of subcall function 6C7EE6A6: __EH_prolog.LIBCMT ref: 6C7EE6AB
                                • Part of subcall function 6C816A0E: __EH_prolog.LIBCMT ref: 6C816A13
                                • Part of subcall function 6C816837: __EH_prolog.LIBCMT ref: 6C81683C
                                • Part of subcall function 6C81A143: __EH_prolog.LIBCMT ref: 6C81A148
                                • Part of subcall function 6C81A143: ctype.LIBCPMT ref: 6C81A16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction ID: b9473507c065efa3e5418e1e7bb4b79e65b0fbd5059a0eea033ae1968c2c1c3c
                              • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction Fuzzy Hash: D303C03180825ADFDF21CFA8CA48BDCBBB0AF15318F2484A9D44567A91DB345F8DCB61
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C7C0279
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C7C0283
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C7C0290
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 3e65909e0caec2565caa44eed92edefe0d9fa6517d48c79499558d663a174f0b
                              • Instruction ID: d92796a1731542150cba0823c0aa58e96dbbd9451780a6847d9b0cbf39dc2b26
                              • Opcode Fuzzy Hash: 3e65909e0caec2565caa44eed92edefe0d9fa6517d48c79499558d663a174f0b
                              • Instruction Fuzzy Hash: 1031927590122DDBCB61DF68D988BCDBBB8BF08314F5042EAE41DA7250EB709B858F45
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,6C7BF235,?,?,?,?), ref: 6C7BF19F
                              • TerminateProcess.KERNEL32(00000000,?,6C7BF235,?,?,?,?), ref: 6C7BF1A6
                              • ExitProcess.KERNEL32 ref: 6C7BF1B8
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: e005e87528321e2c14226c2b237e330af3c6cf30851f5ed9659f2caf1884b4f8
                              • Instruction ID: 3f9bcb5f8d5d13467717992bf00ffccc370b5d9666f42a42186f9af415e92fdc
                              • Opcode Fuzzy Hash: e005e87528321e2c14226c2b237e330af3c6cf30851f5ed9659f2caf1884b4f8
                              • Instruction Fuzzy Hash: F4E0463A102108AFCF426F94CA0CA993B38FB4A79AB000824F818D6630CB39D981DA40
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: a74588756cf0caa454df1d272a2bd9db15d17f08861001b510b3503720ffedd6
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: D6910433D01209DACF04DFA8CA88AEDBB75FF6D35CF20806AD4516BA51DB325949CB50
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C7B78B0
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C7B80D3
                                • Part of subcall function 6C7B9379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C7B80BC,00000000,?,?,?,6C7B80BC,?,6C7E554C), ref: 6C7B93D9
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                              • String ID:
                              • API String ID: 915016180-0
                              • Opcode ID: 2b7ba31abbde8b55ca5049308198407b95f26c005f2869ee3c15cb2d6e84b731
                              • Instruction ID: 4167655ef424916aac151d51b07e264862d77efec98b2265018fbcfc2ad82558
                              • Opcode Fuzzy Hash: 2b7ba31abbde8b55ca5049308198407b95f26c005f2869ee3c15cb2d6e84b731
                              • Instruction Fuzzy Hash: 1CB1DE71A04609ABCB15CF55C98169EFBB4FB59318F24823ED416F7680E734E948CFA4
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: 139334188a32b686a31c7c1e961d15fa8260d60bb3b93920e7f754bc176e18ab
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: 45217137AA49564BE74CCA68DC33EB92681E744305B89527EE94BCB7D1DF6D8800C648
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C80540F
                                • Part of subcall function 6C806137: __EH_prolog.LIBCMT ref: 6C80613C
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction ID: 978c65236188e12fb97e9a829bfba310cded602fa3e38cb6d6c607cf0239fc7f
                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction Fuzzy Hash: 19628D71A00359CFDF25CF98CA94BDEBBB1BF04308F14496AE815AB680D7749A45CFA4
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: YA1
                              • API String ID: 0-613462611
                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction ID: 477fee4db3029f71f430893624851c9a7962a9a6abf30685096a656483f898b1
                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction Fuzzy Hash: 8142F5706083818FC365CF28C69069ABBE2FFD9308F554D6EE8D58B741D6B1D856CB82
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 5e4481f93bd6e23b5c2962cbcf99a3c88b28e5ee668576b037d24460a91aee57
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 4F51E671A092859BD710CF5AC4C12EAFBF6AF79214F18C05EE8C897342D27A599BC760
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: 4d3d5e76309b8c7e347c3e21514121d56a5dd99c06c9a231847f565212ca77a2
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: AC029A316083A08BD325CF2ACA9479EBBE2EFC8348F144E2DE4D597B51C7759945CB82
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 2e79977988b4cc91f88ed62cfd7318d145d4374469b03105bd1037211f4b6376
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: 2D519573E208314AD79CCE24DC2177572D2E784310F8BC1B99D4BAB6E6CD78589087C4
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: 2d53bde53788f00f72950e8903c418ea5595bf6805a579a08ce71532dcef272a
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: 92524E31608B858BD329CF2AC69466AB7E2BB95308F144E2DD4DAC7F41DB70F845CB49
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: c2d137120552fdef550a9b02bf95f98fd2d1ef6df0878e8d695477891d2c1d19
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: 5162F3B1A093458FC724CF19C68065EBBE2BFC8744F149E2EE89987714E770E845CB62
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: e3356cba2816989ce45cfa86c0ba219d1a6c057bb97d370bb4c8fd4c4026e9ce
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: 0C126A712097458BC728CF2AC6E066EBBE2BFC8344F64892DE99687F41D731E845CB51
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: aa55a0abe9cec5f4b98a2673b19978a1067ffe0604fde21ea2d5788e79ec98c2
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: D602D732A082118BD339CE28C5D025DBBE2FBC4355F194F2EE49697A94E7749844CFA2
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction ID: 25f7ba54df7da32d12fb680d59f810b88f0cc0639ba1fdf05065ca66bfe20b5c
                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction Fuzzy Hash: 25F113326042888BEB74CE28D5907EEB7E2FBD5304F94493DD889CBB41DB75950AC792
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction ID: c88e392dfc290d5bec6162d7d7043f81f9ea8f28dfb9b688fa3a80d9ddc05bde
                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction Fuzzy Hash: BBD100715046168FD328CF1EC594736BBE2EF96304F054ABDD9A28BB9AD734E905CB40
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: 0b816ed6aaf62aae4c7b0a54c98e39bf1323d03e4373e153e032bd7ea7a68cfa
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: 6EC1E5352047458BC328CE3ED1E4696BBE2AFDA314F148AADC4CA4BF55DA34A80DCB55
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: 55ca8c370476e8cc77d6d5934f032d22fe5f29cfa399d6319146191820c9b71c
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: 94B1EE31304B054BD375DE39CA907EAB7E1AF80308F80493DC9AA87B81EFB4A519C795
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction ID: e69452ca2dccc3c3d3dc5d360779c607e532c9683d27a9d31a477071da0eeec6
                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction Fuzzy Hash: B7B1AC756047028BC314DF2AC9806ABF7E2FFC8304F54892DD49AC7B12E771A55ACB95
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction ID: e3bfbffa7cc96a14d378d18317abb8ef3754d89d0837a9616b952dab427cdc4a
                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction Fuzzy Hash: E7A1D57160C7418FC325CF2AC5D069ABBE1ABD5318F544E2DE4DAC7B81D631E94ACB42
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction ID: 1829b15b7dc6f0edad6df5d0685835eee73ad1b9d3603ebf21f40997f116e60d
                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction Fuzzy Hash: 1581C335A047058FC320CF2AC180256F7E1FF99714F28CA6DC5999BB55E772E94ACB81
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: 145365216ea2f93b859c3e88fe885b405c6ab4e5d0b21374983a9f4674e42de7
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: C3519C72F006099BDB18CE98DEA26EDBBF2EB88308F248569D511E7781D7749B41CB50
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: d1a05dd2d2a8ca25ad7a70f134c7c20b80f126839ca24457313beb82bacf77ba
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: 683114277A440103CB1CCD3BCD1679F91535BD426AB0ECF396C05DEF56D96CC8124144
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction ID: ba7e1ab37d9a745b703ececfdddaba1531a73bd8c72a17b25a4997130bbb3972
                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction Fuzzy Hash: 1D219077320A0647E74C8A38D93737532D0A705318F98A62DEA6BCE2C2D73AC457C385
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8a6ed76600b72a78fc990690e6a7e456086fcb20ecf18423b9384965bdb87ec7
                              • Instruction ID: 59e383a2c4e72734746665960f6ac0678a9d91241c70ded0d07c2da8b04350b2
                              • Opcode Fuzzy Hash: 8a6ed76600b72a78fc990690e6a7e456086fcb20ecf18423b9384965bdb87ec7
                              • Instruction Fuzzy Hash: 63F03072B153249FCB52DA48D60AB8973BCEB45B6AF1100A6E505EB641C7B0DE40C7D1
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction ID: 9fc5541ea1287d1156c68672181f172f323c7306d962fa06990ad6986fd21197
                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction Fuzzy Hash: AEE08C72A16639FFCB15EB88CA49D8AB3ECEB44B09B1104A6B501E3610D270DF00C7D1
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                              • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                              • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                              • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: 3c8e579d51a74d02a0a27ce886d113152ea444e5fed00965dba1fb6a28bc2f6f
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: C0D1A571A0820BDFCB21CFA4DA88AEDB7F5FF45318F144969E455A3E50DB709948CBA0
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: ad5ab63c4a9d557eafe5c981f7fe0f2d00f1cfe9d920d28647792637c504be89
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 39125C71A00219EFDF20DFA8CE84ADDBBB5FF08318F248969E815A7650D7359985CB50
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6C7B9B07
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6C7B9B0F
                              • _ValidateLocalCookies.LIBCMT ref: 6C7B9B98
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6C7B9BC3
                              • _ValidateLocalCookies.LIBCMT ref: 6C7B9C18
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 32187db4ca6be7d0da7a5ce7dbf665e9099f5953d1fab8371fb6c2293399f74e
                              • Instruction ID: dc46b2b63db2d039dc05222679c52a8e9fe37d745c8b626623069411177c8067
                              • Opcode Fuzzy Hash: 32187db4ca6be7d0da7a5ce7dbf665e9099f5953d1fab8371fb6c2293399f74e
                              • Instruction Fuzzy Hash: 1941E630A102199FCF00DF68CA88ADF7BB5BF66318F148565E825BB751DB31EA05CB91
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 0-537541572
                              • Opcode ID: dad421a43ef317d285808c9f82830316e7f1bca460a745af1f81a922597331cc
                              • Instruction ID: b134f17f4e0ef852b6c492079cb69f6a7b6c136bbbdcb59f3f0307d1f5e80d68
                              • Opcode Fuzzy Hash: dad421a43ef317d285808c9f82830316e7f1bca460a745af1f81a922597331cc
                              • Instruction Fuzzy Hash: 7321D832F16613AFDB114B69CEC4A3A37A8AF06768F150671F855E7A90D730DF0086E2
                              APIs
                              • GetConsoleCP.KERNEL32(?,6C7CB0D0,?), ref: 6C7CBEF9
                              • __fassign.LIBCMT ref: 6C7CC0D8
                              • __fassign.LIBCMT ref: 6C7CC0F5
                              • WriteFile.KERNEL32(?,6C7D5AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7CC13D
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C7CC17D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C7CC229
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ConsoleErrorLast
                              • String ID:
                              • API String ID: 4031098158-0
                              • Opcode ID: 425ef128069e79fb9df1584e2aef5d384a1e5f9cabd7f8542bbbd08ca414c1a1
                              • Instruction ID: ac0622cb3a1b47724929a9ad9932f75c31dfddaa9fa0c3aa7a6c89549c110650
                              • Opcode Fuzzy Hash: 425ef128069e79fb9df1584e2aef5d384a1e5f9cabd7f8542bbbd08ca414c1a1
                              • Instruction Fuzzy Hash: 5ED1AA71E012499FCF11CFE8CA809EDBBB5BF49318F28416AE855BB342D731A946CB51
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C682F95
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C682FAF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C682FD0
                              • __Getctype.LIBCPMT ref: 6C683084
                              • std::_Facet_Register.LIBCPMT ref: 6C68309C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C6830B7
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 1483caf69efece796d61738201a39eb24b021087f0ea15ab9f634f95929e6e3b
                              • Instruction ID: 8b60a9c300a60ee1dc3e23ce5900b90b80ea2e648681ba95571ee26020294ed0
                              • Opcode Fuzzy Hash: 1483caf69efece796d61738201a39eb24b021087f0ea15ab9f634f95929e6e3b
                              • Instruction Fuzzy Hash: 4C418C71E016188FCB14CF84C959B9EB7B4FF89718F054128E855BB740D735AA04CBE8
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: 5e3af1c72534beb2fa9b9a2572580236d4d6e4014470bc6cd212e3c4b9482a40
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: 5C21B131601219FBDF608EA8DE80DDF7A79FF417A8F20C635B53561A90D2718D51C6A1
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C7FA6F1
                                • Part of subcall function 6C809173: __EH_prolog.LIBCMT ref: 6C809178
                              • __EH_prolog.LIBCMT ref: 6C7FA8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: 189bc3161a572eaac820fecb8cb189d7db5d652d3498dce02df4b957bb4a26f7
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: 4F71B231900255DFDB14CF64C688FDDBBF4BF18318F1084A9D865A7B91CB74AA0ACB90
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6C682A76
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: U#hl$q!hl$Jbx$Jbx
                              • API String ID: 4194217158-1979245787
                              • Opcode ID: d22c6aa2c8e614f5bb91d2a4e5d30cf459b788236fc26f95cdd82c5f4ccef0a4
                              • Instruction ID: d50c31976be2d5ce5181e81848f998fbbad707830400a0c0083a6c01daa5ffda
                              • Opcode Fuzzy Hash: d22c6aa2c8e614f5bb91d2a4e5d30cf459b788236fc26f95cdd82c5f4ccef0a4
                              • Instruction Fuzzy Hash: E25147B19012048FCB14CF59C8886DEBBB5FF89318F11846EE849AB741D335E985CBA1
                              APIs
                              • _free.LIBCMT ref: 6C7D5ADD
                              • _free.LIBCMT ref: 6C7D5B06
                              • SetEndOfFile.KERNEL32(00000000,6C7D46EC,00000000,6C7CB0D0,?,?,?,?,?,?,?,6C7D46EC,6C7CB0D0,00000000), ref: 6C7D5B38
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C7D46EC,6C7CB0D0,00000000,?,?,?,?,00000000,?), ref: 6C7D5B54
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free$ErrorFileLast
                              • String ID: 8Q
                              • API String ID: 1547350101-4022487301
                              • Opcode ID: 9c33295caea6510760ccd3d3f3d783aa78cb1d071b4481c5553092774f223c01
                              • Instruction ID: aca61ad07902dfc56ecd50d8474260950b8092b33ba0d7f331b3c45124873a46
                              • Opcode Fuzzy Hash: 9c33295caea6510760ccd3d3f3d783aa78cb1d071b4481c5553092774f223c01
                              • Instruction Fuzzy Hash: 1441C4B6600605ABDB419FA8EF8DB9E3F75EF85368F260151E424E7A90DB30E8044761
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C80E41D
                                • Part of subcall function 6C80EE40: __EH_prolog.LIBCMT ref: 6C80EE45
                                • Part of subcall function 6C80E8EB: __EH_prolog.LIBCMT ref: 6C80E8F0
                                • Part of subcall function 6C80E593: __EH_prolog.LIBCMT ref: 6C80E598
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: 93804d47adb970e01e367fbb61cb74c155ae9161fe6f5a20581347e7e9867d63
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 50218E72D01258AACF15DBE8DA889DDBBB4AF25318F104469D41177781DB781E0CCB51
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: fc5fdcf226918fbe2854ec6e08af8abfcb40badce449bec6ca17858297c5759f
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: 2611D3B1904B64CEC720DF5AC55419AFBE4FFA5708B10C91FC4A697B50C7F8A508CB99
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C7BF1B4,?,?,6C7BF235,?,?,?), ref: 6C7BF13F
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C7BF152
                              • FreeLibrary.KERNEL32(00000000,?,?,6C7BF1B4,?,?,6C7BF235,?,?,?), ref: 6C7BF175
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 84d9f19adf4458a34c1b37bb30e30c1b90485c7863f36add948868796df3b993
                              • Instruction ID: 55cdc67f95c1708ddde77258f6f91d0036a1e7106360cbbdc7e87d94230badfe
                              • Opcode Fuzzy Hash: 84d9f19adf4458a34c1b37bb30e30c1b90485c7863f36add948868796df3b993
                              • Instruction Fuzzy Hash: 54F08C37A01519FBDF02AF91CA09B9E7A78EB0979AF204470F805F2060CB308E00EB90
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C7B732E
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C7B7339
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C7B73A7
                                • Part of subcall function 6C7B7230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C7B7248
                              • std::locale::_Setgloballocale.LIBCPMT ref: 6C7B7354
                              • _Yarn.LIBCPMT ref: 6C7B736A
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: e5ec5361924648be4c2a5c4d5ad5c1e6d3f177d0933585d061aef3fc32dbae6c
                              • Instruction ID: 0fc2d46c6e9a7cb90b2093c94add9805acb9ecc46ff804f77f8ae74fd33aa9ff
                              • Opcode Fuzzy Hash: e5ec5361924648be4c2a5c4d5ad5c1e6d3f177d0933585d061aef3fc32dbae6c
                              • Instruction Fuzzy Hash: 38018F756005159BCB09DF20CA5DABD77B1FFC6258B190059E801B7780DF34AA4ACBE9
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: 5494339b42b0a1a158d14ad55a483cd26ebe9341bda88990e360b10e0fa2a366
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: 29126F7091125ADFCB24CFE8C6D0ADDBBB1BF05308F14A869E449ABB51D734E945CBA0
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 859f946aaa2ee3113ccb30e9f8792244dce5b196dfe6c6c4898ca3e57f44acff
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 03B16D71E01209DFCB24CF99CA949AEBBB5FF48314F20892EE415A7B51C774AE45CB50
                              APIs
                                • Part of subcall function 6C7B7327: __EH_prolog3.LIBCMT ref: 6C7B732E
                                • Part of subcall function 6C7B7327: std::_Lockit::_Lockit.LIBCPMT ref: 6C7B7339
                                • Part of subcall function 6C7B7327: std::locale::_Setgloballocale.LIBCPMT ref: 6C7B7354
                                • Part of subcall function 6C7B7327: _Yarn.LIBCPMT ref: 6C7B736A
                                • Part of subcall function 6C7B7327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C7B73A7
                                • Part of subcall function 6C682F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C682F95
                                • Part of subcall function 6C682F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C682FAF
                                • Part of subcall function 6C682F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C682FD0
                                • Part of subcall function 6C682F60: __Getctype.LIBCPMT ref: 6C683084
                                • Part of subcall function 6C682F60: std::_Facet_Register.LIBCPMT ref: 6C68309C
                                • Part of subcall function 6C682F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C6830B7
                              • std::ios_base::_Addstd.LIBCPMT ref: 6C68211B
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3332196525-1866435925
                              • Opcode ID: 576e690ea831dd7a66c2df2049fa94ba11b343399d0cc65ab563057fa88d7476
                              • Instruction ID: a3dde39c0f0a23fb650a4201154ff965dc547cf522d5adede2fd583ae0e80af4
                              • Opcode Fuzzy Hash: 576e690ea831dd7a66c2df2049fa94ba11b343399d0cc65ab563057fa88d7476
                              • Instruction Fuzzy Hash: DA41C3B1A013098FDB00CF64D8497AEBBB1FF48318F148268E915AB791E7759985CFA4
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: 2f2e0067841ce1477ebb3c902a96f7e1d5ccb435d287521b4b993fd216e9ae82
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: 82219570F012058BDB24DFE8CA901EEB7B2FF94304F544A2EC812E7B91C7745A458A90
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$LrJ$x
                              • API String ID: 3519838083-658305261
                              • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction ID: 3d4d7e09255fa64514c7a4f24da436c2b032d80f4845ebf0476737f5fd5b0298
                              • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction Fuzzy Hash: A5216F33D011199ACF15DBE8CA98BEDB7F5EFA8308F20055AD40177A40DB755E08CBA1
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C814ECC
                                • Part of subcall function 6C7FF58A: __EH_prolog.LIBCMT ref: 6C7FF58F
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: 5ad7aa053dfcf8594140764994f56dc9ff87486ad205860e3f93b94a5a73e80f
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: 6C21DAB1801B40CFC760CF6AC14828ABBF4BF69718B00C96EC0AA97B11D7B8A508CF55
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C7CB0D0,6C681DEA,00008000,6C7CB0D0,?,?,?,6C7CAC7F,6C7CB0D0,?,00000000,6C681DEA), ref: 6C7CADC9
                              • GetLastError.KERNEL32(?,?,?,6C7CAC7F,6C7CB0D0,?,00000000,6C681DEA,?,6C7D469E,6C7CB0D0,000000FF,000000FF,00000002,00008000,6C7CB0D0), ref: 6C7CADD3
                              • __dosmaperr.LIBCMT ref: 6C7CADDA
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID: 8Q
                              • API String ID: 2336955059-4022487301
                              • Opcode ID: 0e34f47fa6ff6d7c1e6433fff1a55de3fe07040ecd7a94e1e53bd94a9cac9e0f
                              • Instruction ID: f4262eeea44c05fd544ffd1b5ee6fb8bdd2f6cc2d4511f28c939464792419abb
                              • Opcode Fuzzy Hash: 0e34f47fa6ff6d7c1e6433fff1a55de3fe07040ecd7a94e1e53bd94a9cac9e0f
                              • Instruction Fuzzy Hash: 6701FC377106157FCF058FAADD0A8DE3B39EF86336B240218E812D7684EB71E9018B91
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: 943c90495925dd94227a767789b5cfe921ff5414c3dbb89095e95f51bb19d12b
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: F941D671D01289AFCF24DBA0DA948FEB774AF15318F20C869D13127E61EB31A64DCB11
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: e400082873d6ffeb42f66afba46ae9f60eefd640cf65dce3902cd4a3fbb46561
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: 80119076301304BFEB354AA8CD44EAF7BBDEF85744F10882DF55156A50C6B1AC449760
                              APIs
                              • GetLastError.KERNEL32(?,?,?,6C7BEF64,6C7E6DD8,0000000C), ref: 6C7C49B7
                              • _free.LIBCMT ref: 6C7C4A14
                              • _free.LIBCMT ref: 6C7C4A4A
                              • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C7BEF64,6C7E6DD8,0000000C), ref: 6C7C4A55
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast_free
                              • String ID:
                              • API String ID: 2283115069-0
                              • Opcode ID: e96b112dfbd3657d8097d13a3fc3b3407ba20a5e675d62dd7d78dafce1c4e34f
                              • Instruction ID: 6bda217d83607ce74f33754de8855fd5379c046e6b08148630394de7d7810dbf
                              • Opcode Fuzzy Hash: e96b112dfbd3657d8097d13a3fc3b3407ba20a5e675d62dd7d78dafce1c4e34f
                              • Instruction Fuzzy Hash: 5A11C4327046036FDA105DB54E8CDBE2679ABC277CB350635F524A2B80EF318C04B15A
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,6C7D46EC,00000000,00000000,?,6C7D4B51,00000000,00000001,00000000,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0), ref: 6C7D5ED1
                              • GetLastError.KERNEL32(?,6C7D4B51,00000000,00000001,00000000,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0,?,6C7CB0D0,?,6C7CBD1C,6C7D5AB6), ref: 6C7D5EDD
                                • Part of subcall function 6C7D5F2E: CloseHandle.KERNEL32(FFFFFFFE,6C7D5EED,?,6C7D4B51,00000000,00000001,00000000,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0,?,6C7CB0D0), ref: 6C7D5F3E
                              • ___initconout.LIBCMT ref: 6C7D5EED
                                • Part of subcall function 6C7D5F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C7D5EAB,6C7D4B3E,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0,?), ref: 6C7D5F22
                              • WriteConsoleW.KERNEL32(00000000,?,6C7D46EC,00000000,?,6C7D4B51,00000000,00000001,00000000,6C7CB0D0,?,6C7CC286,?,?,6C7CB0D0,?), ref: 6C7D5F02
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: 6e0e3231ffffa5a863fc641d67d745f76a0ecaccfec08924285632f1544cb67f
                              • Instruction ID: cc491b5222fde89fa545e0dba36e1390432689c9c6ef69d77d9adc1dd3c8291d
                              • Opcode Fuzzy Hash: 6e0e3231ffffa5a863fc641d67d745f76a0ecaccfec08924285632f1544cb67f
                              • Instruction Fuzzy Hash: B5F0C777500119BBCF525FE5DC08A893F36FB09765F054521FB1996520CB32AC20EB95
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C7EE077
                                • Part of subcall function 6C7EDFF5: __EH_prolog.LIBCMT ref: 6C7EDFFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: 485931f5b1cfe4cbbca6a75cc827d4ed57b16624c8c6c40342dc1442832d79d8
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: B2E1153390060C9ACF10DFA4CA987DDB7B5BF5D31CF108929D4516BBA0EB74A949CB91
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction ID: 1d55999df53ff56ced03d751297da2518f90be03a1ebd05f28249782cc9c4cd9
                              • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction Fuzzy Hash: F481F532A012299FCF20CFD8C644BDE77F5AF45308F24A869D818AB641D771D905CBE0
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog3_
                              • String ID: 8Q
                              • API String ID: 2427045233-4022487301
                              • Opcode ID: 76fe5231bb3a3eb5a10b1ae84995069db603195ceb83f1eb5680a53c526181ad
                              • Instruction ID: b6c15d17bf0a1a4b51fb4fc612f0cc55b6ad626325b7e6fb21a3906d40d20ebf
                              • Opcode Fuzzy Hash: 76fe5231bb3a3eb5a10b1ae84995069db603195ceb83f1eb5680a53c526181ad
                              • Instruction Fuzzy Hash: 1271C671F012579FEB108F96CA84BEE7BB5AF06358F144235E83067A80DF758845CBA2
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: 742c0bdf6939ebb5ee1f36b79741102067e7561cf4f0293dc1847380d86cde81
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: C2914B71914349EFCB20DF99CA849DEFBF4BF18308F50492EE555A7A50D770AA48CB10
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C808C5D
                                • Part of subcall function 6C80761A: __EH_prolog.LIBCMT ref: 6C80761F
                                • Part of subcall function 6C807A2E: __EH_prolog.LIBCMT ref: 6C807A33
                                • Part of subcall function 6C808EA5: __EH_prolog.LIBCMT ref: 6C808EAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: ea7b3b8bd70e6e955360060db612f8dd08c092f9c25c95c5c53bfde870ab7adb
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 71819432E00159DFCF25DFA8DA94ADDBBB4AF18318F10456AE412B7B90DB306E49CB51
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: 4565cc7083d262e6526d6c26d02a89f10b8a62131787aa71456c8cf690fe853c
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: 0551817190424AEFCF20DF98CD848EDB7B1BF49318F10892EE525ABB50D7359A95CB10
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $D^J
                              • API String ID: 3519838083-3977321784
                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction ID: f5e28a858c579bbe6972a1d885155b539d2d50faaf244a1a5780a4fa7b782f82
                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction Fuzzy Hash: C9416821B065917FD7328B6DCEA5BF8BBA19F16308F148D78C4D247E85DB64588AC390
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C7D46D6), ref: 6C7CD01B
                              • __dosmaperr.LIBCMT ref: 6C7CD022
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr
                              • String ID: 8Q
                              • API String ID: 1659562826-4022487301
                              • Opcode ID: 425720986d8c72e8a43241ff210f3097090c8d814fead69205c8ebcf105d5503
                              • Instruction ID: 1942c0e20635ed416fba03bfb80d80635c2a2fae7f868e1f371b82a3eb492cf3
                              • Opcode Fuzzy Hash: 425720986d8c72e8a43241ff210f3097090c8d814fead69205c8ebcf105d5503
                              • Instruction Fuzzy Hash: EA41ED32704196AFD721DF6CCA80BA97FE4EF47309F284269E8808B702D3719C02C796
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: U#hl$q!hl
                              • API String ID: 4218353326-1496782519
                              • Opcode ID: 423e2b0066346b8af9a477a992f3a2c594eb99b0d1eb4fc3422dc72b24055755
                              • Instruction ID: 01c010e650a5bae16a1a1f516ee23110174cf6497261908212bf150952b6922f
                              • Opcode Fuzzy Hash: 423e2b0066346b8af9a477a992f3a2c594eb99b0d1eb4fc3422dc72b24055755
                              • Instruction Fuzzy Hash: BB4191B2D012189BDB00DFA4DD88ADEBBB9EF48354F150125E804A7740E7359A58CBA5
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: X&L$p|J
                              • API String ID: 3519838083-2944591232
                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction ID: 168fd1e2c666f8f19537f7bb45074787ed93c0d02afee5fa34b04ce2e2874906
                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction Fuzzy Hash: 313128326D6309C7D7209B58DB0DBEA7765EB25328F10452ED510A6EEACB7889C5CAC0
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 2518cd447e1b12463090c71ff35d6dec98c73067f676a3de5277f311ff4595f8
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 9041B532601745EFCB219F64C6987EEBBE2FF89309F00482EE45697B50CB756944CBA1
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: f09c4ed9ac0892f7a6d2c403fda9f9bbf2b09ff8a25a103b5f643efadc4b8a46
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: F421A6B1A017046FD7308FAAC984B6BBAFDFB44715F108D2EB146D7B40D770A9448BA5
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: 45162eb65b66b4f461abc8a428bb6fdf70d346e658a0a09379c6daf2ed9ebafa
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: 0801C4B1E01349DADB20DF9985945AEF7B4FF55304F40882EE02AE3B40C3386944CB95
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: cc6fd4d93c3cda494d1e54b81630a6373d6c969c46ae36c511291e499ab47e4e
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: 6A117CB1A01209DBCB10DF99C5D45AEB7B4FF58348B50C82ED479E7B00D3389A16CB55
                              APIs
                              • _free.LIBCMT ref: 6C7CDD49
                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C7CA63A,?,00000004,?,4B42FCB6,?,?,6C7BF78C,4B42FCB6,?), ref: 6C7CDD85
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1864136545.000000006C631000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C630000, based on PE: true
                              • Associated: 00000005.00000002.1864113616.000000006C630000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865117628.000000006C7D8000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1866446057.000000006C9A3000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: AllocHeap_free
                              • String ID: 8Q
                              • API String ID: 1080816511-4022487301
                              • Opcode ID: fa47c58c95e95cae6881c793cbef599b47207caecfee1faea8afcad01283ead0
                              • Instruction ID: de5e050cba9566cd0d62042c03baf7fef2b892ff38602f1cbe1f519a757d07c7
                              • Opcode Fuzzy Hash: fa47c58c95e95cae6881c793cbef599b47207caecfee1faea8afcad01283ead0
                              • Instruction Fuzzy Hash: C5F0C832B81A076EDB211E669E4DB9A37688F93B78B150537E81497E90EB30C401D5EB
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: |zJ
                              • API String ID: 3037903784-3782439380
                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction ID: 0c46ae7101cf0262a46fb2e8fff1bd87d912b6e787b19b8443359270f4488822
                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction Fuzzy Hash: 42E06572A155109BEB258F48DA147DEF3ACFF64B14F10446F9016A7A41CBB5AD4486C1
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: 684dd552967136d75c06ba0c969672ec78f5cfc5958097dc26d6ad4b69f7fe1f
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: 53E06D32A1A5159BDB249F48DA20BEEF7A8EF55724F11452EE012A7F51CBB2A8048684
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @ K$DJ$T)K$X/K
                              • API String ID: 0-3815299647
                              • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction ID: 74738cda08e431f8e49f015cc54b7062796955a4df79e225a1c83ff769e39505
                              • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction Fuzzy Hash: 6791033160438D9BCF20DEA4C6547EE73A2AF6630CF10CC1EC8621BB85DB79A949CB51
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C7E8000, based on PE: true
                              • Associated: 00000005.00000002.1865796903.000000006C8B3000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1865828178.000000006C8B9000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c630000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction ID: ae6ec206d89c3b9631ba36d15d2ea3ed56214c7ebac5b9c14213653f20eabcea
                              • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction Fuzzy Hash: 5651C37290420D9BCF11CF94DA48ADEB7B5EFA931CF10C81AE81167A90DB76994CC750

                              Execution Graph

                              Execution Coverage:4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0.3%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:31
                              execution_graph 73234 bacefb 73235 bad0cc 73234->73235 73236 bacf03 73234->73236 73236->73235 73281 bacae9 VariantClear 73236->73281 73238 bacf59 73238->73235 73282 bacae9 VariantClear 73238->73282 73240 bacf71 73240->73235 73283 bacae9 VariantClear 73240->73283 73242 bacf87 73242->73235 73284 bacae9 VariantClear 73242->73284 73244 bacf9d 73244->73235 73285 bacae9 VariantClear 73244->73285 73246 bacfb3 73246->73235 73286 bacae9 VariantClear 73246->73286 73248 bacfc9 73248->73235 73287 b84504 malloc _CxxThrowException 73248->73287 73250 bacfdc 73288 b82e04 73250->73288 73252 bad009 73255 bad07b 73252->73255 73257 bad080 73252->73257 73258 bad030 73252->73258 73253 bacfe7 73253->73252 73291 b82f88 73253->73291 73310 b81e40 free 73255->73310 73307 ba7a0c CharUpperW 73257->73307 73261 b82e04 2 API calls 73258->73261 73259 bad0c4 73311 b81e40 free 73259->73311 73264 bad038 73261->73264 73263 bad08b 73308 b9fdbc 4 API calls 2 library calls 73263->73308 73265 b82e04 2 API calls 73264->73265 73267 bad046 73265->73267 73297 b9fdbc 4 API calls 2 library calls 73267->73297 73268 bad0a7 73270 b82fec 3 API calls 73268->73270 73272 bad0b3 73270->73272 73271 bad057 73298 b82fec 73271->73298 73309 b81e40 free 73272->73309 73277 bad06b 73305 b81e40 free 73277->73305 73279 bad073 73306 b81e40 free 73279->73306 73281->73238 73282->73240 73283->73242 73284->73244 73285->73246 73286->73248 73287->73250 73312 b81e0c 73288->73312 73292 b82f9a 73291->73292 73293 b82fbe 73292->73293 73294 b81e0c ctype 2 API calls 73292->73294 73293->73252 73295 b82fb4 73294->73295 73317 b81e40 free 73295->73317 73297->73271 73299 b82ffc 73298->73299 73301 b82ff8 73298->73301 73300 b81e0c ctype 2 API calls 73299->73300 73299->73301 73302 b83010 73300->73302 73304 b81e40 free 73301->73304 73318 b81e40 free 73302->73318 73304->73277 73305->73279 73306->73255 73307->73263 73308->73268 73309->73255 73310->73259 73311->73235 73313 b81e1c malloc 73312->73313 73314 b81e15 73312->73314 73315 b81e2a _CxxThrowException 73313->73315 73316 b81e3e 73313->73316 73314->73313 73315->73316 73316->73253 73317->73293 73318->73301 73319 b8c3bd 73320 b8c3db 73319->73320 73321 b8c3ca 73319->73321 73321->73320 73323 b81e40 free 73321->73323 73323->73320 73324 c06bc6 73325 c06bcd 73324->73325 73327 c06bca 73324->73327 73326 c06bd1 malloc 73325->73326 73325->73327 73326->73327 73328 bb993d 73412 bbb5b1 73328->73412 73331 bb9963 73418 b91f33 73331->73418 73334 bb9975 73335 bb99b7 GetStdHandle GetConsoleScreenBufferInfo 73334->73335 73336 bb99ce 73334->73336 73335->73336 73337 b81e0c ctype 2 API calls 73336->73337 73338 bb99dc 73337->73338 73539 ba7b48 73338->73539 73340 bb9a29 73568 bbb96d _CxxThrowException 73340->73568 73342 bb9a30 73569 ba7018 8 API calls 2 library calls 73342->73569 73344 bb9a7c 73570 baddb5 6 API calls 2 library calls 73344->73570 73345 bb9a66 _CxxThrowException 73345->73344 73347 bb9aa6 73348 bb9aaa _CxxThrowException 73347->73348 73358 bb9ac0 73347->73358 73348->73358 73349 bb9a37 73349->73344 73349->73345 73350 bb9b3a 73574 b81fa0 fputc 73350->73574 73353 bb9bfa _CxxThrowException 73385 bb9be6 73353->73385 73354 bb9b63 fputs 73575 b81fa0 fputc 73354->73575 73357 bb9b79 strlen strlen 73359 bb9baa fputs fputc 73357->73359 73360 bb9e25 73357->73360 73358->73350 73358->73353 73571 ba7dd7 7 API calls 2 library calls 73358->73571 73572 bbc077 6 API calls 73358->73572 73573 b81e40 free 73358->73573 73359->73385 73583 b81fa0 fputc 73360->73583 73363 bb9e2c fputs 73584 b81fa0 fputc 73363->73584 73365 bb9f0c 73589 b81fa0 fputc 73365->73589 73368 bb9f13 fputs 73590 b81fa0 fputc 73368->73590 73372 bbac3a 73596 bbb96d _CxxThrowException 73372->73596 73373 b82e04 2 API calls 73373->73385 73374 bb9e42 73374->73365 73405 bb9ee0 fputs 73374->73405 73585 bbb650 fputc fputs fputs fputc 73374->73585 73586 b821d8 fputs 73374->73586 73587 bbbde4 fputc fputs 73374->73587 73375 bbac35 73595 bbb988 33 API calls __aulldiv 73375->73595 73379 bbac42 73597 b81e40 free 73379->73597 73380 bbb67d 12 API calls 73380->73385 73384 bbac4d 73598 ba3247 73384->73598 73385->73359 73385->73360 73385->73373 73385->73380 73390 bb9d2a fputs 73385->73390 73395 bb9d5f fputs 73385->73395 73396 b831e5 malloc _CxxThrowException free _CxxThrowException 73385->73396 73576 b821d8 fputs 73385->73576 73577 b8315e malloc _CxxThrowException free _CxxThrowException 73385->73577 73578 b83221 malloc _CxxThrowException free _CxxThrowException 73385->73578 73579 b81089 malloc _CxxThrowException free _CxxThrowException 73385->73579 73581 b81fa0 fputc 73385->73581 73582 b81e40 free 73385->73582 73388 bb9f29 73400 bb9f77 fputs 73388->73400 73409 bb9f9f 73388->73409 73591 bbb650 fputc fputs fputs fputc 73388->73591 73592 bbb5e9 fputc fputs 73388->73592 73593 bbbde4 fputc fputs 73388->73593 73580 b821d8 fputs 73390->73580 73395->73385 73396->73385 73594 b81fa0 fputc 73400->73594 73588 b81fa0 fputc 73405->73588 73409->73372 73409->73375 73413 bbb5bc fputs 73412->73413 73414 bb994a 73412->73414 73608 b81fa0 fputc 73413->73608 73414->73331 73556 b81fb3 73414->73556 73416 bbb5d5 73416->73414 73417 bbb5d9 fputs 73416->73417 73417->73414 73419 b91f6c 73418->73419 73420 b91f4f 73418->73420 73609 b929eb 73419->73609 73651 ba1d73 5 API calls __EH_prolog 73420->73651 73423 b91f5e _CxxThrowException 73423->73419 73425 b91fa3 73427 b91fbc 73425->73427 73429 b84fc0 5 API calls 73425->73429 73430 b91fda 73427->73430 73431 b82fec 3 API calls 73427->73431 73428 b91f95 _CxxThrowException 73428->73425 73429->73427 73432 b92022 wcscmp 73430->73432 73440 b92036 73430->73440 73431->73430 73433 b920af 73432->73433 73432->73440 73653 ba1d73 5 API calls __EH_prolog 73433->73653 73435 b920a9 73654 b9393c 6 API calls 2 library calls 73435->73654 73436 b920be _CxxThrowException 73436->73440 73438 b920f4 73655 b9393c 6 API calls 2 library calls 73438->73655 73440->73435 73445 b9219a 73440->73445 73441 b92108 73442 b92135 73441->73442 73656 b92e04 62 API calls 2 library calls 73441->73656 73449 b92159 73442->73449 73657 b92e04 62 API calls 2 library calls 73442->73657 73658 ba1d73 5 API calls __EH_prolog 73445->73658 73447 b921a9 _CxxThrowException 73447->73449 73448 b9227f 73614 b92aa9 73448->73614 73449->73448 73450 b92245 73449->73450 73659 ba1d73 5 API calls __EH_prolog 73449->73659 73453 b82fec 3 API calls 73450->73453 73457 b9225c 73453->73457 73455 b922d9 73459 b92302 73455->73459 73460 b82fec 3 API calls 73455->73460 73456 b92237 _CxxThrowException 73456->73450 73457->73448 73660 ba1d73 5 API calls __EH_prolog 73457->73660 73458 b82fec 3 API calls 73458->73455 73632 b84fc0 73459->73632 73460->73459 73464 b92271 _CxxThrowException 73464->73448 73466 b92322 73467 b926c6 73466->73467 73476 b923a1 73466->73476 73468 b928ce 73467->73468 73470 b92700 73467->73470 73673 ba1d73 5 API calls __EH_prolog 73467->73673 73469 b9293a 73468->73469 73484 b928d5 73468->73484 73471 b9293f 73469->73471 73472 b929a5 73469->73472 73674 b932ec 14 API calls 2 library calls 73470->73674 73691 b84eec 16 API calls 73471->73691 73477 b929ae _CxxThrowException 73472->73477 73531 b9264d 73472->73531 73482 b9247a wcscmp 73476->73482 73500 b9248e 73476->73500 73478 b926f2 _CxxThrowException 73478->73470 73479 b92713 73675 b93a29 73479->73675 73481 b9294c 73692 b84ea1 8 API calls 73481->73692 73486 b924cf wcscmp 73482->73486 73482->73500 73484->73531 73690 ba1d73 5 API calls __EH_prolog 73484->73690 73487 b924ef wcscmp 73486->73487 73486->73500 73491 b9250f 73487->73491 73487->73500 73488 b92953 73492 b84fc0 5 API calls 73488->73492 73664 ba1d73 5 API calls __EH_prolog 73491->73664 73492->73531 73493 b92920 _CxxThrowException 73493->73531 73496 b9251e _CxxThrowException 73498 b9252c 73496->73498 73497 b927cf 73501 b92880 73497->73501 73502 b9281f 73497->73502 73686 ba1d73 5 API calls __EH_prolog 73497->73686 73503 b92569 73498->73503 73665 b92e04 62 API calls 2 library calls 73498->73665 73499 b82fec 3 API calls 73504 b927a9 73499->73504 73500->73498 73661 b84eec 16 API calls 73500->73661 73662 b84ea1 8 API calls 73500->73662 73663 ba1d73 5 API calls __EH_prolog 73500->73663 73505 b9289b 73501->73505 73508 b82fec 3 API calls 73501->73508 73502->73501 73513 b92847 73502->73513 73687 ba1d73 5 API calls __EH_prolog 73502->73687 73510 b9258c 73503->73510 73666 b92e04 62 API calls 2 library calls 73503->73666 73504->73497 73685 b83563 memmove 73504->73685 73505->73531 73689 ba1d73 5 API calls __EH_prolog 73505->73689 73508->73505 73515 b925a4 73510->73515 73667 b92a61 malloc _CxxThrowException free _CxxThrowException memcpy 73510->73667 73511 b924c1 _CxxThrowException 73511->73486 73512 b92811 _CxxThrowException 73512->73502 73513->73501 73688 ba1d73 5 API calls __EH_prolog 73513->73688 73668 b84eec 16 API calls 73515->73668 73521 b925ad 73669 ba1b07 49 API calls 73521->73669 73522 b928c0 _CxxThrowException 73522->73468 73523 b92839 _CxxThrowException 73523->73513 73526 b92872 _CxxThrowException 73526->73501 73527 b925b4 73670 b84ea1 8 API calls 73527->73670 73529 b925bb 73530 b82fec 3 API calls 73529->73530 73533 b925d6 73529->73533 73530->73533 73531->73334 73532 b9261f 73532->73531 73535 b82fec 3 API calls 73532->73535 73533->73531 73533->73532 73671 ba1d73 5 API calls __EH_prolog 73533->73671 73537 b9263f 73535->73537 73536 b92611 _CxxThrowException 73536->73532 73672 b8859e malloc _CxxThrowException free _CxxThrowException 73537->73672 73540 ba7b52 __EH_prolog 73539->73540 73728 ba7eec 73540->73728 73542 ba7ca4 73542->73340 73544 b82e04 malloc _CxxThrowException 73547 ba7b63 73544->73547 73545 b830ea malloc _CxxThrowException free 73545->73547 73547->73542 73547->73544 73547->73545 73548 b81e40 free ctype 73547->73548 73551 bc04d2 5 API calls 73547->73551 73554 ba7c61 memcpy 73547->73554 73733 ba70ea 73547->73733 73736 ba7a40 73547->73736 73754 ba7cc3 6 API calls 73547->73754 73755 b912a5 73547->73755 73760 b8429a 73547->73760 73766 ba74eb malloc _CxxThrowException memcpy __EH_prolog ctype 73547->73766 73767 ba7193 73547->73767 73548->73547 73551->73547 73554->73547 73557 b81fbd __EH_prolog 73556->73557 73785 b826dd 73557->73785 73563 b81fed 73795 b81e40 free 73563->73795 73565 b81ff5 73796 b81e40 free 73565->73796 73567 b81ffd 73567->73331 73568->73342 73569->73349 73570->73347 73571->73358 73572->73358 73573->73358 73574->73354 73575->73357 73576->73385 73577->73385 73578->73385 73579->73385 73580->73385 73581->73385 73582->73385 73583->73363 73584->73374 73585->73374 73586->73374 73587->73374 73588->73374 73589->73368 73590->73388 73591->73388 73592->73388 73593->73388 73594->73388 73595->73372 73596->73379 73597->73384 73608->73416 73693 b82f1c 73609->73693 73611 b929fe 73696 b81e40 free 73611->73696 73613 b91f7e 73613->73425 73652 ba1d73 5 API calls __EH_prolog 73613->73652 73615 b92ab3 __EH_prolog 73614->73615 73625 b92b0f 73615->73625 73700 b82e8a 73615->73700 73618 b922ad 73618->73455 73618->73458 73620 b92b04 73705 b81e40 free 73620->73705 73621 b92bc6 73710 ba1d73 5 API calls __EH_prolog 73621->73710 73624 b92bd6 _CxxThrowException 73624->73618 73625->73618 73625->73621 73629 b92b9f 73625->73629 73706 b92cb4 48 API calls 2 library calls 73625->73706 73707 b92bf5 8 API calls __EH_prolog 73625->73707 73708 b92a61 malloc _CxxThrowException free _CxxThrowException memcpy 73625->73708 73629->73618 73709 ba1d73 5 API calls __EH_prolog 73629->73709 73631 b92bb8 _CxxThrowException 73631->73621 73633 b84fce 73632->73633 73634 b84fd2 73632->73634 73642 b9384c 73633->73642 73711 ba7ebb 73634->73711 73637 b85006 73637->73633 73716 b81524 malloc _CxxThrowException __EH_prolog ctype 73637->73716 73638 b84fe9 _CxxThrowException 73639 b84ffe 73638->73639 73715 bc0551 malloc _CxxThrowException free memcpy ctype 73639->73715 73649 b93856 __EH_prolog 73642->73649 73643 b93917 73643->73466 73644 b82e04 malloc _CxxThrowException 73644->73649 73645 b82fec 3 API calls 73645->73649 73647 b82f88 3 API calls 73647->73649 73649->73643 73649->73644 73649->73645 73649->73647 73650 b81e40 free ctype 73649->73650 73717 bc04d2 73649->73717 73723 b93b76 malloc _CxxThrowException __EH_prolog ctype 73649->73723 73650->73649 73651->73423 73652->73428 73653->73436 73654->73438 73655->73441 73656->73442 73657->73449 73658->73447 73659->73456 73660->73464 73661->73500 73662->73500 73663->73511 73664->73496 73665->73503 73666->73510 73667->73515 73668->73521 73669->73527 73670->73529 73671->73536 73672->73531 73673->73478 73674->73479 73676 b93a3b 73675->73676 73682 b92722 73675->73682 73725 b93bd9 free ctype 73676->73725 73678 b93a42 73679 b93a6f 73678->73679 73680 b93a52 _CxxThrowException 73678->73680 73681 b93a67 73678->73681 73679->73682 73727 b93b76 malloc _CxxThrowException __EH_prolog ctype 73679->73727 73680->73681 73726 bc0551 malloc _CxxThrowException free memcpy ctype 73681->73726 73682->73497 73682->73499 73685->73497 73686->73512 73687->73523 73688->73526 73689->73522 73690->73493 73691->73481 73692->73488 73697 b82ba6 73693->73697 73696->73613 73698 b81e0c ctype 2 API calls 73697->73698 73699 b82bbb 73698->73699 73699->73611 73701 b82ea0 73700->73701 73701->73701 73702 b82ba6 2 API calls 73701->73702 73703 b82eaf 73702->73703 73704 b92a61 malloc _CxxThrowException free _CxxThrowException memcpy 73703->73704 73704->73620 73705->73625 73706->73625 73707->73625 73708->73625 73709->73631 73710->73624 73713 b84fd9 73711->73713 73714 ba7ec6 73711->73714 73712 b81e40 free ctype 73712->73714 73713->73637 73713->73638 73713->73639 73714->73712 73714->73713 73715->73637 73716->73637 73718 bc04df 73717->73718 73719 bc0513 73717->73719 73720 bc04fd 73718->73720 73721 bc04e8 _CxxThrowException 73718->73721 73719->73649 73724 bc0551 malloc _CxxThrowException free memcpy ctype 73720->73724 73721->73720 73723->73649 73724->73719 73725->73678 73726->73679 73727->73679 73729 ba7f14 73728->73729 73731 ba7ef7 73728->73731 73729->73547 73730 ba7193 free 73730->73731 73731->73729 73731->73730 73775 b81e40 free 73731->73775 73734 b82e04 2 API calls 73733->73734 73735 ba7103 73734->73735 73735->73547 73737 ba7a4a __EH_prolog 73736->73737 73776 b8361b 6 API calls 2 library calls 73737->73776 73739 ba7a78 73777 b8361b 6 API calls 2 library calls 73739->73777 73741 ba7a83 73742 ba7b20 73741->73742 73746 b82e04 malloc _CxxThrowException 73741->73746 73748 b82fec 3 API calls 73741->73748 73749 b82fec 3 API calls 73741->73749 73750 bc04d2 5 API calls 73741->73750 73753 b81e40 free ctype 73741->73753 73778 ba7955 malloc _CxxThrowException __EH_prolog ctype 73741->73778 73779 bb2db9 free ctype 73742->73779 73744 ba7b2b 73780 bb2db9 free ctype 73744->73780 73746->73741 73747 ba7b37 73747->73547 73748->73741 73751 ba7aca wcscmp 73749->73751 73750->73741 73751->73741 73753->73741 73754->73547 73756 bc04d2 5 API calls 73755->73756 73757 b912ad 73756->73757 73758 b81e0c ctype 2 API calls 73757->73758 73759 b912b4 73758->73759 73759->73547 73761 b842c5 73760->73761 73762 b842a7 73760->73762 73761->73547 73763 b842b3 73762->73763 73781 b81e40 free 73762->73781 73763->73761 73765 b81e0c ctype 2 API calls 73763->73765 73765->73761 73766->73547 73768 ba719d __EH_prolog 73767->73768 73782 bb2db9 free ctype 73768->73782 73770 ba71b3 73783 ba71d5 free __EH_prolog ctype 73770->73783 73772 ba71bf 73784 b81e40 free 73772->73784 73774 ba71c7 73774->73547 73775->73731 73776->73739 73777->73741 73778->73741 73779->73744 73780->73747 73781->73763 73782->73770 73783->73772 73784->73774 73786 b81e0c ctype 2 API calls 73785->73786 73787 b81fcb 73786->73787 73788 b82e47 73787->73788 73789 b82e57 73788->73789 73790 b82ba6 2 API calls 73789->73790 73791 b81fda 73790->73791 73792 b82010 73791->73792 73797 b82033 73792->73797 73795->73565 73796->73567 73798 b8203b 73797->73798 73799 b82054 73798->73799 73800 b82045 73798->73800 73805 b837ff 9 API calls 73799->73805 73804 b8421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 73800->73804 73803 b82022 fputs 73803->73563 73804->73803 73805->73803 73808 bbadb7 73809 bbadc1 __EH_prolog 73808->73809 73810 b826dd 2 API calls 73809->73810 73811 bbae1d 73810->73811 73812 b82e04 2 API calls 73811->73812 73813 bbae38 73812->73813 73814 b82e04 2 API calls 73813->73814 73815 bbae44 73814->73815 73816 b82e04 2 API calls 73815->73816 73817 bbae68 73816->73817 73824 bbad29 73817->73824 73821 bbae94 73822 b82e04 2 API calls 73821->73822 73823 bbaeb2 73822->73823 73825 bbad33 __EH_prolog 73824->73825 73826 b82e04 2 API calls 73825->73826 73827 bbad5f 73826->73827 73828 b82e04 2 API calls 73827->73828 73829 bbad72 73828->73829 73830 bbaf2d 73829->73830 73831 bbaf37 __EH_prolog 73830->73831 73842 b934f4 malloc _CxxThrowException __EH_prolog 73831->73842 73833 bbafac 73834 b82e04 2 API calls 73833->73834 73835 bbafbb 73834->73835 73836 b82e04 2 API calls 73835->73836 73837 bbafca 73836->73837 73838 b82e04 2 API calls 73837->73838 73839 bbafd9 73838->73839 73840 b82e04 2 API calls 73839->73840 73841 bbafe8 73840->73841 73841->73821 73842->73833 73843 bc8eb1 73848 bc8ed1 73843->73848 73847 bc8ec9 73849 bc8edb __EH_prolog 73848->73849 73857 bc9267 73849->73857 73853 bc8efd 73862 bbe5f1 free ctype 73853->73862 73855 bc8eb9 73855->73847 73856 b81e40 free 73855->73856 73856->73847 73859 bc9271 __EH_prolog 73857->73859 73863 b81e40 free 73859->73863 73860 bc8ef1 73861 bc922b free CloseHandle GetLastError ctype 73860->73861 73861->73853 73862->73855 73863->73860 73864 bb5475 73865 b82fec 3 API calls 73864->73865 73866 bb54b4 73865->73866 73869 bbc911 73866->73869 73868 bb54bb 73870 bbc92f 73869->73870 73871 bbc926 GetTickCount 73869->73871 73872 bbc96d 73870->73872 73875 bbcb64 73870->73875 73939 b82ab1 strcmp 73870->73939 73871->73870 73872->73875 73914 bbc86a 73872->73914 73875->73868 73877 bbc9ce 73877->73875 73922 b827bb 73877->73922 73878 bbc95b 73878->73872 73940 b83542 wcscmp 73878->73940 73882 bbca0a 73883 bbca21 73882->73883 73884 b8286d 5 API calls 73882->73884 73885 bbcb10 73883->73885 73892 b8286d 5 API calls 73883->73892 73887 bbca16 73884->73887 73928 bbcb74 73885->73928 73886 bbc9e2 73886->73882 73942 b8286d 73886->73942 73949 b828fa malloc _CxxThrowException free memcpy _CxxThrowException 73887->73949 73896 bbca40 73892->73896 73895 bbcb59 73954 bbcb92 malloc _CxxThrowException free 73895->73954 73899 b82fec 3 API calls 73896->73899 73901 bbca4e 73899->73901 73906 b82033 10 API calls 73901->73906 73902 bbcb49 73953 b81f91 fflush 73902->73953 73903 bbcb50 73905 b827bb 3 API calls 73903->73905 73905->73895 73913 bbca6a 73906->73913 73907 bbcaf5 73952 b828fa malloc _CxxThrowException free memcpy _CxxThrowException 73907->73952 73909 b82fec 3 API calls 73909->73913 73912 b82033 10 API calls 73912->73913 73913->73907 73913->73909 73913->73912 73950 b83599 memmove 73913->73950 73951 b83402 malloc _CxxThrowException free memmove _CxxThrowException 73913->73951 73915 bbc88c __aulldiv 73914->73915 73916 bbc8d3 strlen 73915->73916 73917 bbc8f1 73916->73917 73918 bbc900 73916->73918 73917->73918 73920 b8286d 5 API calls 73917->73920 73919 b828a1 5 API calls 73918->73919 73921 bbc90c 73919->73921 73920->73917 73921->73877 73941 b82ab1 strcmp 73921->73941 73923 b827c7 73922->73923 73927 b827e3 73922->73927 73924 b81e0c ctype 2 API calls 73923->73924 73923->73927 73925 b827da 73924->73925 73955 b81e40 free 73925->73955 73927->73886 73929 bbcb1c 73928->73929 73930 bbcb7c strcmp 73928->73930 73929->73895 73931 bbc7d7 73929->73931 73930->73929 73932 bbc7ea 73931->73932 73933 bbc849 73931->73933 73934 bbc7fe fputs 73932->73934 73956 b825cb malloc _CxxThrowException free _CxxThrowException ctype 73932->73956 73935 bbc85a fputs 73933->73935 73957 b81f91 fflush 73933->73957 73934->73933 73935->73902 73935->73903 73939->73878 73940->73872 73941->73877 73958 b81e9d 73942->73958 73945 b828a1 73946 b828b0 73945->73946 73946->73946 73963 b8267f 73946->73963 73948 b828bf 73948->73882 73949->73883 73950->73913 73951->73913 73952->73885 73953->73903 73954->73875 73955->73927 73956->73934 73957->73935 73959 b81ea8 73958->73959 73960 b81ead 73958->73960 73962 b8263c malloc _CxxThrowException free memcpy _CxxThrowException 73959->73962 73960->73945 73962->73960 73964 b826c2 73963->73964 73966 b82693 73963->73966 73964->73948 73965 b826c8 _CxxThrowException 73968 b826dd 73965->73968 73966->73965 73967 b826bc 73966->73967 73972 b82595 malloc _CxxThrowException free memcpy ctype 73967->73972 73969 b81e0c ctype 2 API calls 73968->73969 73971 b826ea 73969->73971 73971->73948 73972->73964 73973 c069d0 73974 c069d4 73973->73974 73975 c069d7 malloc 73973->73975 73977 b91368 73979 b9136d 73977->73979 73980 b9138c 73979->73980 73983 c17d80 WaitForSingleObject 73979->73983 73986 bbf745 73979->73986 73990 c17ea0 SetEvent GetLastError 73979->73990 73984 c17d98 73983->73984 73985 c17d8e GetLastError 73983->73985 73984->73979 73985->73984 73987 bbf74f __EH_prolog 73986->73987 73991 bbf784 73987->73991 73989 bbf765 73989->73979 73990->73979 73992 bbf78e __EH_prolog 73991->73992 74000 b912d4 73992->74000 73995 b912d4 4 API calls 73996 bbf7d4 73995->73996 73997 bbf871 73996->73997 74008 b8c4d6 73996->74008 74014 c06b23 VirtualAlloc 73996->74014 73997->73989 74001 b912e7 74000->74001 74007 b91327 74000->74007 74002 b912ef _CxxThrowException 74001->74002 74003 b91304 74001->74003 74002->74003 74015 b81e40 free 74003->74015 74005 b9130b 74006 b81e0c ctype 2 API calls 74005->74006 74006->74007 74007->73995 74012 b8c4e9 74008->74012 74009 b8c6f3 74009->73997 74012->74009 74013 b8c695 memmove 74012->74013 74016 b9111c 74012->74016 74021 b911b4 74012->74021 74013->74012 74014->73997 74015->74005 74017 b91130 74016->74017 74018 b9115f 74017->74018 74026 b8b668 74017->74026 74045 b8d331 74017->74045 74018->74012 74023 b911c1 74021->74023 74022 b911eb 74022->74012 74023->74022 74066 bcaf27 74023->74066 74073 bcae7c 74023->74073 74034 b8b675 74026->74034 74027 b8b864 74049 b87b7c 74027->74049 74030 b8b8aa GetLastError 74031 b8b6aa 74030->74031 74031->74017 74032 b8b81b 74032->74031 74036 b8b839 memcpy 74032->74036 74033 b8b7e7 74033->74027 74038 b87731 5 API calls 74033->74038 74034->74027 74034->74031 74034->74032 74034->74033 74037 b8b811 74034->74037 74039 b8b7ad 74034->74039 74053 b87731 74034->74053 74062 b87b4f ReadFile 74034->74062 74036->74031 74063 b8b8ec GetLastError 74037->74063 74040 b8b80d 74038->74040 74039->74034 74044 b8b8c7 74039->74044 74061 c06a20 VirtualAlloc 74039->74061 74040->74027 74040->74037 74044->74031 74046 b8d355 74045->74046 74047 b8d374 74046->74047 74048 b8b668 10 API calls 74046->74048 74047->74017 74048->74047 74050 b87b89 74049->74050 74064 b87b4f ReadFile 74050->74064 74052 b87b9a 74052->74030 74052->74031 74054 b8775c SetFilePointer 74053->74054 74058 b87740 74053->74058 74055 b87780 GetLastError 74054->74055 74057 b877a1 74054->74057 74056 b8778c 74055->74056 74055->74057 74065 b876d6 SetFilePointer GetLastError 74056->74065 74057->74034 74058->74054 74060 b87796 SetLastError 74060->74057 74061->74039 74062->74034 74063->74031 74064->74052 74065->74060 74071 bcaf36 74066->74071 74067 bcaeeb 107 API calls 74067->74071 74068 bcb010 74068->74023 74071->74067 74071->74068 74078 b8bd0c 74071->74078 74083 bcad3a 74071->74083 74087 bcaebf 107 API calls 74071->74087 74074 bcae86 74073->74074 74076 b97140 7 API calls 74074->74076 74728 b97190 74074->74728 74075 bcaebb 74075->74023 74076->74075 74088 b87ca2 74078->74088 74081 b8bd3d 74081->74071 74084 bcad44 __EH_prolog 74083->74084 74096 b96305 74084->74096 74085 bcadbf 74085->74071 74087->74071 74091 b87caf 74088->74091 74090 b87cdb 74090->74081 74092 b8b8ec GetLastError 74090->74092 74091->74090 74093 b87c68 74091->74093 74092->74081 74094 b87c79 WriteFile 74093->74094 74095 b87c76 74093->74095 74094->74091 74095->74094 74097 b9630f __EH_prolog 74096->74097 74133 b962b9 74097->74133 74100 b96427 74102 b8965d VariantClear 74100->74102 74101 b9644a 74137 b8965d 74101->74137 74125 b96445 74102->74125 74112 b965de 74113 b9669e 74112->74113 74114 b965e7 74112->74114 74120 b966b8 74113->74120 74121 b96754 74113->74121 74113->74125 74116 b81e0c ctype 2 API calls 74114->74116 74119 b965f6 74114->74119 74115 b964da 74115->74112 74115->74125 74302 b9789c free memmove ctype 74115->74302 74116->74119 74303 ba36ea 74119->74303 74124 b81e0c ctype 2 API calls 74120->74124 74190 b95bea 74121->74190 74123 b9666b 74316 b81e40 free 74123->74316 74124->74125 74125->74085 74127 b964ca 74127->74115 74127->74125 74301 b842e3 CharUpperW 74127->74301 74128 b9665c 74315 b831e5 malloc _CxxThrowException free _CxxThrowException 74128->74315 74134 b962c9 74133->74134 74317 ba8fa4 74134->74317 74138 b89685 74137->74138 74140 b89665 74137->74140 74141 b95126 74138->74141 74139 b8967e VariantClear 74139->74138 74140->74138 74140->74139 74142 b95130 __EH_prolog 74141->74142 74143 b951b4 74142->74143 74149 b9518e 74142->74149 74361 b83097 malloc _CxxThrowException free SysStringLen ctype 74142->74361 74146 b8965d VariantClear 74143->74146 74143->74149 74145 b8965d VariantClear 74147 b9527f 74145->74147 74148 b951bc 74146->74148 74147->74125 74183 ba8b05 74147->74183 74148->74149 74150 b95289 74148->74150 74151 b95206 74148->74151 74149->74145 74150->74149 74152 b95221 74150->74152 74362 b83097 malloc _CxxThrowException free SysStringLen ctype 74151->74362 74154 b8965d VariantClear 74152->74154 74155 b9522d 74154->74155 74155->74147 74156 b95351 74155->74156 74363 b95459 malloc _CxxThrowException __EH_prolog 74155->74363 74156->74147 74163 b953a1 74156->74163 74368 b835e7 memmove 74156->74368 74159 b952ba 74364 b88011 5 API calls ctype 74159->74364 74161 b952cf 74174 b952fd 74161->74174 74365 b8823d 10 API calls 2 library calls 74161->74365 74163->74147 74369 b843b7 5 API calls 2 library calls 74163->74369 74166 b952e5 74167 b82fec 3 API calls 74166->74167 74168 b952f5 74167->74168 74366 b81e40 free 74168->74366 74169 b9540e 74371 b9789c free memmove ctype 74169->74371 74173 b953df 74173->74169 74175 b9541c 74173->74175 74370 b842e3 CharUpperW 74173->74370 74367 b954a0 free ctype 74174->74367 74176 ba36ea 5 API calls 74175->74176 74177 b95427 74176->74177 74178 b82fec 3 API calls 74177->74178 74179 b95433 74178->74179 74372 b81e40 free 74179->74372 74181 b9543b 74373 bb2db9 free ctype 74181->74373 74184 ba8b2e 74183->74184 74185 b8965d VariantClear 74184->74185 74186 b9648a 74185->74186 74186->74125 74187 b94d78 74186->74187 74374 ba9262 74187->74374 74191 b95bf4 __EH_prolog 74190->74191 74381 b954c0 74191->74381 74194 ba8b05 VariantClear 74195 b95c34 74194->74195 74236 b95e17 74195->74236 74396 b95630 74195->74396 74198 ba36ea 5 API calls 74199 b95c51 74198->74199 74200 b95c60 74199->74200 74499 b957c1 53 API calls 2 library calls 74199->74499 74202 b82f1c 2 API calls 74200->74202 74203 b95c6c 74202->74203 74206 b95caa 74203->74206 74500 b96217 4 API calls 2 library calls 74203->74500 74205 b95c91 74207 b82fec 3 API calls 74205->74207 74214 b82e04 2 API calls 74206->74214 74228 b95d49 74206->74228 74208 b95c9e 74207->74208 74501 b81e40 free 74208->74501 74209 b95d91 74213 b95da6 74209->74213 74417 b958be 74209->74417 74210 b95d55 74212 b82fec 3 API calls 74210->74212 74215 b95d66 74212->74215 74218 b82fec 3 API calls 74213->74218 74299 b95d8c 74213->74299 74219 b95cd2 74214->74219 74217 b95d73 74215->74217 74507 b85b2d 74215->74507 74217->74213 74221 b95dd1 74218->74221 74502 b81e40 free 74219->74502 74221->74299 74224 b95cf5 74224->74228 74233 b82fec 3 API calls 74224->74233 74228->74209 74228->74210 74236->74125 74538 b81e40 free 74299->74538 74300 b95110 9 API calls 74300->74127 74301->74127 74302->74112 74304 ba36f4 __EH_prolog 74303->74304 74305 b82e04 2 API calls 74304->74305 74306 ba370a 74305->74306 74307 ba3736 74306->74307 74726 b81089 malloc _CxxThrowException free _CxxThrowException 74306->74726 74727 b831e5 malloc _CxxThrowException free _CxxThrowException 74306->74727 74308 b82f1c 2 API calls 74307->74308 74311 ba3742 74308->74311 74725 b81e40 free 74311->74725 74313 b96633 74313->74123 74313->74128 74314 b81089 malloc _CxxThrowException free _CxxThrowException 74313->74314 74314->74128 74315->74123 74316->74125 74318 ba8fae __EH_prolog 74317->74318 74319 ba7ebb free 74318->74319 74320 ba8ff2 74319->74320 74351 ba8b64 74320->74351 74324 ba9020 74325 b82fec 3 API calls 74324->74325 74341 b96302 74324->74341 74326 ba903a 74325->74326 74339 ba904d 74326->74339 74355 ba8b80 VariantClear 74326->74355 74328 ba91b0 74358 ba8b9c 10 API calls 2 library calls 74328->74358 74329 ba9244 74360 b843b7 5 API calls 2 library calls 74329->74360 74330 ba9144 74333 b82f88 3 API calls 74330->74333 74337 ba917b 74330->74337 74333->74337 74334 ba91c0 74334->74341 74344 b82f88 3 API calls 74334->74344 74335 ba9100 74338 b8965d VariantClear 74335->74338 74336 ba90d6 74336->74335 74340 ba90e7 74336->74340 74357 ba8f2e 9 API calls 74336->74357 74337->74328 74337->74329 74338->74341 74339->74330 74339->74335 74339->74336 74339->74341 74356 b83097 malloc _CxxThrowException free SysStringLen ctype 74339->74356 74345 b8965d VariantClear 74340->74345 74341->74100 74341->74101 74341->74125 74348 ba91ff 74344->74348 74345->74330 74346 ba9112 74346->74335 74347 ba8b64 VariantClear 74346->74347 74349 ba9123 74347->74349 74348->74341 74359 b850ff free ctype 74348->74359 74349->74335 74349->74340 74352 ba8b05 VariantClear 74351->74352 74353 ba8b6f 74352->74353 74353->74341 74354 ba8f2e 9 API calls 74353->74354 74354->74324 74355->74339 74356->74336 74357->74346 74358->74334 74359->74341 74360->74341 74361->74143 74362->74152 74363->74159 74364->74161 74365->74166 74366->74174 74367->74156 74368->74156 74369->74173 74370->74173 74371->74175 74372->74181 74373->74147 74375 ba926c __EH_prolog 74374->74375 74376 ba92fc 74375->74376 74379 ba92a4 74375->74379 74378 b8965d VariantClear 74376->74378 74377 b8965d VariantClear 74380 b94d91 74377->74380 74378->74380 74379->74377 74380->74125 74380->74127 74380->74300 74382 b954ca __EH_prolog 74381->74382 74383 b95507 74382->74383 74385 b8965d VariantClear 74382->74385 74384 b8965d VariantClear 74383->74384 74386 b95567 74384->74386 74387 b95528 74385->74387 74386->74194 74386->74236 74387->74383 74388 b95572 74387->74388 74389 b8965d VariantClear 74388->74389 74390 b9558e 74389->74390 74540 b94cac VariantClear __EH_prolog 74390->74540 74392 b955a1 74392->74386 74541 b94cac VariantClear __EH_prolog 74392->74541 74394 b955b8 74394->74386 74542 b94cac VariantClear __EH_prolog 74394->74542 74398 b9563a __EH_prolog 74396->74398 74399 b95679 74398->74399 74543 ba3558 10 API calls 2 library calls 74398->74543 74400 b82f1c 2 API calls 74399->74400 74416 b9571a 74399->74416 74401 b95696 74400->74401 74544 ba3333 malloc _CxxThrowException free 74401->74544 74403 b956a2 74404 b956ad 74403->74404 74405 b956c5 74403->74405 74545 b97853 5 API calls 2 library calls 74404->74545 74411 b956b4 74405->74411 74546 b84adf wcscmp 74405->74546 74408 b95707 74549 b831e5 malloc _CxxThrowException free _CxxThrowException 74408->74549 74411->74408 74548 b81089 malloc _CxxThrowException free _CxxThrowException 74411->74548 74412 b956d2 74412->74411 74547 b97853 5 API calls 2 library calls 74412->74547 74413 b95712 74550 b81e40 free 74413->74550 74416->74198 74418 b958c8 __EH_prolog 74417->74418 74419 b82e04 2 API calls 74418->74419 74499->74200 74500->74205 74501->74206 74502->74224 74540->74392 74541->74394 74542->74386 74543->74399 74544->74403 74545->74411 74546->74412 74547->74411 74548->74408 74549->74413 74550->74416 74725->74313 74726->74306 74727->74306 74729 b9719a __EH_prolog 74728->74729 74730 b971b0 74729->74730 74734 b971dd 74729->74734 74731 b94d78 VariantClear 74730->74731 74732 b971b7 74731->74732 74732->74075 74741 b96fc5 74734->74741 74735 b972b4 74737 b94d78 VariantClear 74735->74737 74738 b972c0 74735->74738 74736 b97236 74736->74732 74736->74735 74740 b972a3 SetFileSecurityW 74736->74740 74737->74738 74738->74732 74739 b97140 7 API calls 74738->74739 74739->74732 74740->74735 74742 b96fcf __EH_prolog 74741->74742 74764 b944a6 74742->74764 74748 b97051 74752 b911b4 107 API calls 74748->74752 74756 b9706a 74748->74756 74749 b97029 74749->74756 74786 b94dff 7 API calls 2 library calls 74749->74786 74752->74756 74753 b86096 15 API calls 74755 b970d1 74753->74755 74754 b9710b 74754->74736 74757 b970e2 74755->74757 74787 b94dff 7 API calls 2 library calls 74755->74787 74767 b968ac 74756->74767 74761 b9709e 74757->74761 74788 b96b5e 69 API calls 2 library calls 74757->74788 74760 b970fd 74760->74761 74762 b97103 74760->74762 74790 b81e40 free 74761->74790 74789 b81e40 free 74762->74789 74765 b82e04 2 API calls 74764->74765 74766 b944be 74765->74766 74766->74749 74766->74756 74785 b96e71 12 API calls 2 library calls 74766->74785 74768 b968b6 __EH_prolog 74767->74768 74769 b96921 74768->74769 74771 b87d4b 6 API calls 74768->74771 74782 b968c5 74768->74782 74770 b96962 74769->74770 74776 b96998 74769->74776 74793 b96a17 6 API calls 2 library calls 74769->74793 74770->74776 74794 b82dcd malloc _CxxThrowException 74770->74794 74774 b96906 74771->74774 74774->74769 74792 b94dff 7 API calls 2 library calls 74774->74792 74775 b969e1 74797 b8bcf8 CloseHandle 74775->74797 74776->74775 74791 b87c3b SetFileTime 74776->74791 74778 b9697a 74795 b96b09 13 API calls __EH_prolog 74778->74795 74782->74753 74782->74761 74783 b9698c 74796 b81e40 free 74783->74796 74785->74749 74786->74748 74787->74757 74788->74760 74789->74754 74790->74754 74791->74775 74792->74769 74793->74770 74794->74778 74795->74783 74796->74776 74797->74782 74798 bba42c 74799 bba449 74798->74799 74800 bba435 fputs 74798->74800 74957 bb545d 74799->74957 74956 b81fa0 fputc 74800->74956 74804 b82e04 2 API calls 74805 bba4a1 74804->74805 74961 ba1858 74805->74961 74807 bba4c9 75023 b81e40 free 74807->75023 74809 bba4d8 74810 bba4ee 74809->74810 74811 bbc7d7 ctype 6 API calls 74809->74811 74812 bba50e 74810->74812 75024 bb57fb 74810->75024 74811->74810 75034 bbc73e 74812->75034 74817 bbac17 75190 bb2db9 free ctype 74817->75190 74818 b81e0c ctype 2 API calls 74819 bba53a 74818->74819 74822 bba54d 74819->74822 75160 bbb0fa malloc _CxxThrowException __EH_prolog 74819->75160 74821 bbac23 74823 bbac3a 74821->74823 74825 bbac35 74821->74825 74829 b82fec 3 API calls 74822->74829 75192 bbb96d _CxxThrowException 74823->75192 75191 bbb988 33 API calls __aulldiv 74825->75191 74828 bbac42 75193 b81e40 free 74828->75193 74834 bba586 74829->74834 74831 bbac4d 74832 ba3247 free 74831->74832 74833 bbac5d 74832->74833 75194 b81e40 free 74833->75194 75052 bbad06 74834->75052 74839 bbac7d 75195 b811c2 free __EH_prolog ctype 74839->75195 74842 bbac89 75196 bbbe0c free __EH_prolog ctype 74842->75196 74843 b93a29 5 API calls 74845 bba62e 74843->74845 74847 b82e04 2 API calls 74845->74847 74846 bbac98 75197 bb2db9 free ctype 74846->75197 74849 bba636 74847->74849 75060 ba4345 74849->75060 74850 bbaca4 74853 bba676 75066 ba2096 74853->75066 74856 bba66f 74934 bbaae5 75189 bb2db9 free ctype 74934->75189 74956->74799 74958 bb5473 74957->74958 74959 bb5466 74957->74959 74958->74804 75198 b8275e malloc _CxxThrowException free ctype 74959->75198 74962 ba1862 __EH_prolog 74961->74962 75199 ba021a 74962->75199 74967 ba18db 74969 ba1935 74967->74969 74976 bc04d2 5 API calls 74967->74976 75215 ba0144 malloc _CxxThrowException free _CxxThrowException 74967->75215 75216 b81524 malloc _CxxThrowException __EH_prolog ctype 74967->75216 75217 b81e40 free 74967->75217 74968 ba18b9 75213 ba1aa5 free __EH_prolog ctype 74968->75213 75218 ba1aa5 free __EH_prolog ctype 74969->75218 74972 ba18c7 75214 bb2db9 free ctype 74972->75214 74974 ba1944 74997 ba1966 74974->74997 75219 ba1d73 5 API calls __EH_prolog 74974->75219 74976->74967 74978 ba18d3 74978->74807 74979 ba1958 _CxxThrowException 74979->74997 74980 ba19be 75226 baf1f1 malloc _CxxThrowException free _CxxThrowException 74980->75226 74983 b82e04 2 API calls 74983->74997 74984 ba19d6 74986 ba7ebb free 74984->74986 74988 ba19e1 74986->74988 74989 b912d4 4 API calls 74988->74989 74991 ba19ea 74989->74991 74990 bc04d2 5 API calls 74990->74997 74992 ba7ebb free 74991->74992 74994 ba19f7 74992->74994 74995 b912d4 4 API calls 74994->74995 75005 ba19ff 74995->75005 74997->74980 74997->74983 74997->74990 75220 b8631f 74997->75220 75224 b81524 malloc _CxxThrowException __EH_prolog ctype 74997->75224 75225 b81e40 free 74997->75225 74998 ba1a4f 75228 b81e40 free 74998->75228 75000 b81524 malloc _CxxThrowException 75000->75005 75001 ba1a57 75229 bb2db9 free ctype 75001->75229 75003 ba1a64 75230 bb2db9 free ctype 75003->75230 75005->74998 75005->75000 75007 ba1a83 75005->75007 75227 b842e3 CharUpperW 75005->75227 75231 ba1d73 5 API calls __EH_prolog 75007->75231 75009 ba1a97 _CxxThrowException 75010 ba1aa5 __EH_prolog 75009->75010 75232 b81e40 free 75010->75232 75012 ba1ac8 75233 ba02e8 free ctype 75012->75233 75014 ba1ad1 75234 ba1eab free __EH_prolog ctype 75014->75234 75016 ba1add 75235 b81e40 free 75016->75235 75018 ba1ae5 75236 b81e40 free 75018->75236 75020 ba1aed 75237 bb2db9 free ctype 75020->75237 75022 ba1afa 75022->74807 75023->74809 75025 bb5805 __EH_prolog 75024->75025 75026 b826dd 2 API calls 75025->75026 75033 bb5847 75025->75033 75027 bb5819 75026->75027 75417 bb5678 75027->75417 75031 bb583f 75434 b81e40 free 75031->75434 75033->74812 75035 bbc748 __EH_prolog 75034->75035 75036 bbc7d7 ctype 6 API calls 75035->75036 75037 bbc75d 75036->75037 75451 b81e40 free 75037->75451 75039 bbc768 75452 ba2c0b 75039->75452 75043 bbc77d 75458 b81e40 free 75043->75458 75045 bbc785 75459 b81e40 free 75045->75459 75047 bbc78d 75460 b81e40 free 75047->75460 75049 bbc795 75050 ba2c0b ctype free 75049->75050 75051 bba51d 75050->75051 75051->74818 75051->74934 75053 bbad29 2 API calls 75052->75053 75054 bba5d8 75053->75054 75055 bbbf3e 75054->75055 75056 b82fec 3 API calls 75055->75056 75057 bbbf85 75056->75057 75058 b82fec 3 API calls 75057->75058 75059 bba5ee 75058->75059 75059->74843 75061 ba434f __EH_prolog 75060->75061 75062 b82e04 2 API calls 75061->75062 75063 ba436d 75062->75063 75064 b82e04 2 API calls 75063->75064 75065 ba4379 75064->75065 75065->74853 75161 ba375c 22 API calls 2 library calls 75065->75161 75160->74822 75161->74856 75189->74817 75190->74821 75191->74823 75192->74828 75193->74831 75194->74839 75195->74842 75196->74846 75197->74850 75198->74958 75200 ba0224 __EH_prolog 75199->75200 75238 b93d66 75200->75238 75203 ba062e 75209 ba0638 __EH_prolog 75203->75209 75204 ba06de 75325 ba019a malloc _CxxThrowException free memcpy 75204->75325 75206 ba06e6 75326 ba1453 26 API calls 2 library calls 75206->75326 75207 ba01bc malloc _CxxThrowException free _CxxThrowException memcpy 75207->75209 75209->75204 75209->75207 75212 ba06ee 75209->75212 75254 ba0703 75209->75254 75324 bb2db9 free ctype 75209->75324 75212->74967 75212->74968 75213->74972 75214->74978 75215->74967 75216->74967 75217->74967 75218->74974 75219->74979 75221 b89245 75220->75221 75365 b890da 75221->75365 75224->74997 75225->74997 75226->74984 75227->75005 75228->75001 75229->75003 75230->74978 75231->75009 75232->75012 75233->75014 75234->75016 75235->75018 75236->75020 75237->75022 75249 c1fb10 75238->75249 75240 b93d70 GetCurrentProcess 75250 b93e04 75240->75250 75242 b93d8d OpenProcessToken 75243 b93d9e LookupPrivilegeValueW 75242->75243 75244 b93de3 75242->75244 75243->75244 75245 b93dc0 AdjustTokenPrivileges 75243->75245 75246 b93e04 CloseHandle 75244->75246 75245->75244 75247 b93dd5 GetLastError 75245->75247 75248 b93def 75246->75248 75247->75244 75248->75203 75249->75240 75251 b93e0d 75250->75251 75252 b93e11 CloseHandle 75250->75252 75251->75242 75253 b93e21 75252->75253 75253->75242 75323 ba070d __EH_prolog 75254->75323 75255 ba0e1d 75362 ba0416 18 API calls 2 library calls 75255->75362 75256 ba0c83 75256->75255 75258 ba0d11 75256->75258 75356 b87496 7 API calls 2 library calls 75258->75356 75259 b82da9 2 API calls 75259->75323 75262 ba0c13 75353 b81e40 free 75262->75353 75265 b82da9 2 API calls 75306 ba0ab5 75265->75306 75266 ba0b40 75266->75209 75267 ba0de0 75358 bb2db9 free ctype 75267->75358 75268 b82f1c 2 API calls 75293 ba0d29 75268->75293 75270 ba0e47 75271 ba0ea6 75270->75271 75363 ba117d 68 API calls 2 library calls 75270->75363 75364 bcec78 free ctype 75271->75364 75272 b82e04 2 API calls 75272->75323 75274 ba0df8 75360 b81e40 free 75274->75360 75275 b82e04 2 API calls 75275->75306 75278 ba0e02 75361 bb2db9 free ctype 75278->75361 75280 b82e04 2 API calls 75280->75293 75282 b82fec 3 API calls 75282->75323 75286 b82fec 3 API calls 75286->75293 75287 b82fec 3 API calls 75287->75306 75291 ba050b 44 API calls 75291->75306 75293->75267 75293->75268 75293->75274 75293->75280 75293->75286 75294 ba0df3 75293->75294 75298 b81e40 free ctype 75293->75298 75357 ba117d 68 API calls 2 library calls 75293->75357 75359 b81e40 free 75294->75359 75295 ba0b26 75345 b81e40 free 75295->75345 75298->75293 75300 ba0c79 75355 b81e40 free 75300->75355 75301 ba0b30 75346 b81e40 free 75301->75346 75303 b81e40 free ctype 75303->75306 75306->75262 75306->75265 75306->75275 75306->75287 75306->75291 75306->75300 75306->75303 75344 b82f4a malloc _CxxThrowException free ctype 75306->75344 75349 b81089 malloc _CxxThrowException free _CxxThrowException 75306->75349 75350 ba13eb 5 API calls 2 library calls 75306->75350 75351 ba0ef4 68 API calls 2 library calls 75306->75351 75352 bb2db9 free ctype 75306->75352 75354 ba0021 GetLastError 75306->75354 75307 ba0b38 75347 b81e40 free 75307->75347 75314 bc04d2 malloc _CxxThrowException free _CxxThrowException memcpy 75314->75323 75317 ba0b48 75348 bb2db9 free ctype 75317->75348 75319 bb2db9 free ctype 75319->75323 75320 b81524 malloc _CxxThrowException 75320->75323 75321 b81e40 free ctype 75321->75323 75323->75256 75323->75259 75323->75266 75323->75272 75323->75282 75323->75295 75323->75306 75323->75314 75323->75317 75323->75319 75323->75320 75323->75321 75327 b82f4a malloc _CxxThrowException free ctype 75323->75327 75328 b81089 malloc _CxxThrowException free _CxxThrowException 75323->75328 75329 ba13eb 5 API calls 2 library calls 75323->75329 75330 ba050b 75323->75330 75335 ba0021 GetLastError 75323->75335 75336 b849bd 9 API calls 2 library calls 75323->75336 75337 ba0306 12 API calls 75323->75337 75338 b9ff00 5 API calls 2 library calls 75323->75338 75339 ba057d 16 API calls 2 library calls 75323->75339 75340 ba0f8e 24 API calls 2 library calls 75323->75340 75341 b8472e CharUpperW 75323->75341 75342 b98984 malloc _CxxThrowException free _CxxThrowException memcpy 75323->75342 75343 ba0ef4 68 API calls 2 library calls 75323->75343 75324->75209 75325->75206 75326->75212 75327->75323 75328->75323 75329->75323 75331 b86c72 44 API calls 75330->75331 75334 ba051e 75331->75334 75332 ba0575 75332->75323 75333 b82f88 3 API calls 75333->75332 75334->75332 75334->75333 75335->75323 75336->75323 75337->75323 75338->75323 75339->75323 75340->75323 75341->75323 75342->75323 75343->75323 75344->75306 75345->75301 75346->75307 75347->75266 75348->75295 75349->75306 75350->75306 75351->75306 75352->75306 75353->75266 75354->75306 75355->75256 75356->75293 75357->75293 75358->75266 75359->75274 75360->75278 75361->75266 75362->75270 75363->75270 75364->75266 75366 b890e4 __EH_prolog 75365->75366 75367 b82f88 3 API calls 75366->75367 75369 b890f7 75367->75369 75368 b8915d 75370 b82e04 2 API calls 75368->75370 75369->75368 75374 b89109 75369->75374 75371 b89165 75370->75371 75372 b891be 75371->75372 75375 b89174 75371->75375 75411 b86332 6 API calls 2 library calls 75372->75411 75377 b82e47 2 API calls 75374->75377 75384 b89155 75374->75384 75378 b82f88 3 API calls 75375->75378 75376 b8917d 75404 b891ca 75376->75404 75409 b8859e malloc _CxxThrowException free _CxxThrowException 75376->75409 75379 b89122 75377->75379 75378->75376 75406 b88f57 memmove 75379->75406 75383 b8914d 75408 b81e40 free 75383->75408 75384->74997 75386 b8912e 75386->75383 75407 b831e5 malloc _CxxThrowException free _CxxThrowException 75386->75407 75387 b89185 75389 b82e04 2 API calls 75387->75389 75390 b89197 75389->75390 75391 b891ce 75390->75391 75392 b8919f 75390->75392 75394 b82f88 3 API calls 75391->75394 75393 b891b9 75392->75393 75410 b81089 malloc _CxxThrowException free _CxxThrowException 75392->75410 75412 b83199 malloc _CxxThrowException free _CxxThrowException 75393->75412 75394->75393 75397 b891e6 75413 b88f57 memmove 75397->75413 75399 b891ee 75400 b891f2 75399->75400 75401 b82fec 3 API calls 75399->75401 75415 b81e40 free 75400->75415 75403 b89212 75401->75403 75414 b831e5 malloc _CxxThrowException free _CxxThrowException 75403->75414 75416 b81e40 free 75404->75416 75406->75386 75407->75383 75408->75384 75409->75387 75410->75393 75411->75376 75412->75397 75413->75399 75414->75400 75415->75404 75416->75384 75418 bb5689 75417->75418 75419 bb56b1 75417->75419 75420 bb5593 6 API calls 75418->75420 75435 bb5593 75419->75435 75422 bb56a5 75420->75422 75424 b828a1 5 API calls 75422->75424 75424->75419 75427 bb570e fputs 75433 b81fa0 fputc 75427->75433 75429 bb56ef 75430 bb5593 6 API calls 75429->75430 75431 bb5701 75430->75431 75432 bb5711 6 API calls 75431->75432 75432->75427 75433->75031 75434->75033 75436 bb55ad 75435->75436 75437 b828a1 5 API calls 75436->75437 75438 bb55b8 75437->75438 75439 b8286d 5 API calls 75438->75439 75440 bb55bf 75439->75440 75441 b828a1 5 API calls 75440->75441 75442 bb55c7 75441->75442 75443 bb5711 75442->75443 75444 bb56e0 75443->75444 75445 bb5721 75443->75445 75444->75427 75449 b82881 malloc _CxxThrowException free memcpy _CxxThrowException 75444->75449 75446 b828a1 5 API calls 75445->75446 75447 bb572b 75446->75447 75450 bb55cd 6 API calls 75447->75450 75449->75429 75450->75444 75451->75039 75461 b81e40 free 75452->75461 75454 ba2c16 75462 b81e40 free 75454->75462 75456 ba2c1e 75457 b81e40 free 75456->75457 75457->75043 75458->75045 75459->75047 75460->75049 75461->75454 75462->75456 76285 b87b20 76288 b87ab2 76285->76288 76289 b87ac5 76288->76289 76296 b8759a 76289->76296 76292 b87aeb SetFileTime 76293 b87b03 76292->76293 76310 b87919 76293->76310 76297 b875a4 __EH_prolog 76296->76297 76326 b8764c 76297->76326 76299 b875af 76300 b875e9 76299->76300 76301 b875d4 CreateFileW 76299->76301 76302 b87632 76299->76302 76300->76302 76303 b82e04 2 API calls 76300->76303 76301->76300 76302->76292 76302->76293 76304 b875fb 76303->76304 76305 b88b4a 9 API calls 76304->76305 76306 b87611 76305->76306 76307 b8762a 76306->76307 76308 b87615 CreateFileW 76306->76308 76329 b81e40 free 76307->76329 76308->76307 76311 b87aac 76310->76311 76312 b8793c 76310->76312 76312->76311 76313 b87945 DeviceIoControl 76312->76313 76314 b87969 76313->76314 76315 b879e6 76313->76315 76314->76315 76321 b879a7 76314->76321 76316 b879ef DeviceIoControl 76315->76316 76319 b87a14 76315->76319 76317 b87a22 DeviceIoControl 76316->76317 76316->76319 76318 b87a44 DeviceIoControl 76317->76318 76317->76319 76318->76319 76319->76311 76331 b8780d 8 API calls ctype 76319->76331 76330 b89252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76321->76330 76322 b87aa5 76324 b877de 5 API calls 76322->76324 76324->76311 76325 b879d0 76325->76315 76327 b87656 CloseHandle 76326->76327 76328 b87661 76326->76328 76327->76328 76328->76299 76329->76302 76330->76325 76331->76322 76332 bcbf67 76333 bcbf85 76332->76333 76334 bcbf74 76332->76334 76334->76333 76338 bcbf8c 76334->76338 76339 bcbf96 __EH_prolog 76338->76339 76355 bcd144 76339->76355 76343 bcbfd0 76362 b81e40 free 76343->76362 76345 bcbfdb 76363 b81e40 free 76345->76363 76347 bcbfe6 76364 bcc072 free ctype 76347->76364 76349 bcbff4 76365 b9aafa free VariantClear ctype 76349->76365 76351 bcc023 76366 ba73d2 free VariantClear __EH_prolog ctype 76351->76366 76353 bcbf7f 76354 b81e40 free 76353->76354 76354->76333 76356 bcd14e __EH_prolog 76355->76356 76367 bcd1b7 76356->76367 76360 bcbfc5 76361 b81e40 free 76360->76361 76361->76343 76362->76345 76363->76347 76364->76349 76365->76351 76366->76353 76375 bcd23c 76367->76375 76369 bcd1ed 76382 b81e40 free 76369->76382 76371 bcd209 76383 b81e40 free 76371->76383 76373 bcd180 76374 bc8e04 memset 76373->76374 76374->76360 76384 bcd2b8 76375->76384 76378 bcd25e 76401 b81e40 free 76378->76401 76381 bcd275 76381->76369 76382->76371 76383->76373 76403 b81e40 free 76384->76403 76386 bcd2c8 76404 b81e40 free 76386->76404 76388 bcd2dc 76405 b81e40 free 76388->76405 76390 bcd2e7 76406 b81e40 free 76390->76406 76392 bcd2f2 76407 b81e40 free 76392->76407 76394 bcd2fd 76408 b81e40 free 76394->76408 76396 bcd308 76409 b81e40 free 76396->76409 76398 bcd313 76399 bcd246 76398->76399 76410 b81e40 free 76398->76410 76399->76378 76402 b81e40 free 76399->76402 76401->76381 76402->76378 76403->76386 76404->76388 76405->76390 76406->76392 76407->76394 76408->76396 76409->76398 76410->76399 76411 bbc2e6 76412 bbc52f 76411->76412 76415 bb544f SetConsoleCtrlHandler 76412->76415 76414 bbc53b 76415->76414 76416 c17da0 WaitForSingleObject 76417 c17dc1 76416->76417 76418 c17dbb GetLastError 76416->76418 76419 c17ddf 76417->76419 76420 c17dce CloseHandle 76417->76420 76418->76417 76420->76419 76421 c17dd9 GetLastError 76420->76421 76421->76419 76422 b8b5d9 76423 b8b5e6 76422->76423 76427 b8b5f7 76422->76427 76423->76427 76428 b8b5fe 76423->76428 76429 b8b608 __EH_prolog 76428->76429 76435 c06a40 VirtualFree 76429->76435 76431 b8b63d 76432 b8764c CloseHandle 76431->76432 76433 b8b5f1 76432->76433 76434 b81e40 free 76433->76434 76434->76427 76435->76431 76436 c06ba3 VirtualFree 76437 b91ade 76438 b91ae8 __EH_prolog 76437->76438 76488 b813f5 76438->76488 76441 b91b32 6 API calls 76442 b91b8d 76441->76442 76452 b91bf8 76442->76452 76506 b91ea4 9 API calls 76442->76506 76444 b91b24 _CxxThrowException 76444->76441 76446 b91bdf 76447 b827bb 3 API calls 76446->76447 76448 b91bec 76447->76448 76507 b81e40 free 76448->76507 76450 b91c89 76502 b91eb9 76450->76502 76452->76450 76508 ba1d73 5 API calls __EH_prolog 76452->76508 76456 b91cb2 _CxxThrowException 76456->76450 76489 b813ff __EH_prolog 76488->76489 76490 ba7ebb free 76489->76490 76491 b8142b 76490->76491 76492 b81438 76491->76492 76509 b81212 free ctype 76491->76509 76494 b81e0c ctype 2 API calls 76492->76494 76498 b8144d 76494->76498 76495 b814f4 76495->76441 76505 ba1d73 5 API calls __EH_prolog 76495->76505 76496 bc04d2 5 API calls 76496->76498 76498->76495 76498->76496 76500 b81507 76498->76500 76510 b81265 5 API calls 2 library calls 76498->76510 76511 b81524 malloc _CxxThrowException __EH_prolog ctype 76498->76511 76501 b82fec 3 API calls 76500->76501 76501->76495 76512 b89313 GetCurrentProcess OpenProcessToken 76502->76512 76505->76444 76506->76446 76507->76452 76508->76456 76509->76492 76510->76498 76511->76498 76513 b8933a LookupPrivilegeValueW 76512->76513 76516 b89390 76512->76516 76514 b8934c AdjustTokenPrivileges 76513->76514 76515 b89382 76513->76515 76514->76515 76517 b89372 GetLastError 76514->76517 76518 b89385 CloseHandle 76515->76518 76517->76518 76518->76516 76519 b9459e 76520 b945ab 76519->76520 76521 b945bc 76519->76521 76520->76521 76525 b945c3 76520->76525 76526 b945cd __EH_prolog 76525->76526 76554 b979b2 free ctype 76526->76554 76528 b945e8 76555 b81e40 free 76528->76555 76530 b945f3 76556 bb2db9 free ctype 76530->76556 76532 b94609 76557 b81e40 free 76532->76557 76534 b94610 76558 b81e40 free 76534->76558 76536 b9461b 76559 b81e40 free 76536->76559 76538 b94626 76560 b9794c free ctype 76538->76560 76540 b94638 76561 bb2db9 free ctype 76540->76561 76542 b9465b 76562 b81e40 free 76542->76562 76544 b9468e 76563 b81e40 free 76544->76563 76546 b946ae 76564 b94733 free __EH_prolog ctype 76546->76564 76548 b946be 76565 b81e40 free 76548->76565 76550 b946e8 76566 b81e40 free 76550->76566 76552 b945b6 76553 b81e40 free 76552->76553 76553->76521 76554->76528 76555->76530 76556->76532 76557->76534 76558->76536 76559->76538 76560->76540 76561->76542 76562->76544 76563->76546 76564->76548 76565->76550 76566->76552 76567 bbacd3 76568 bbace0 76567->76568 76569 bbacf1 76567->76569 76568->76569 76573 bbacf8 76568->76573 76578 bbc0b3 __EH_prolog 76573->76578 76574 bbc0ed 76582 b81e40 free 76574->76582 76576 bbaceb 76580 b81e40 free 76576->76580 76577 ba7193 free 76577->76578 76578->76574 76578->76577 76581 b81e40 free 76578->76581 76580->76569 76581->76578 76582->76576 76583 b842d1 76584 b842bd 76583->76584 76585 b81e0c ctype 2 API calls 76584->76585 76586 b842c5 76584->76586 76585->76586 76587 bff190 76588 b81e0c ctype 2 API calls 76587->76588 76589 bff1b0 76588->76589 76593 c069f0 free 76594 c1ffb1 __setusermatherr 76595 c1ffbd 76594->76595 76600 c20068 _controlfp 76595->76600 76597 c1ffc2 _initterm __getmainargs _initterm __p___initenv 76598 bbc27c 76597->76598 76599 c2001d exit _XcptFilter 76598->76599 76600->76597 76601 bad948 76631 badac7 76601->76631 76603 bad94f 76604 b82e04 2 API calls 76603->76604 76605 bad97b 76604->76605 76606 b82e04 2 API calls 76605->76606 76607 bad987 76606->76607 76610 bad9e7 76607->76610 76639 b86404 76607->76639 76613 bada0f 76610->76613 76629 bada36 76610->76629 76664 b81e40 free 76613->76664 76614 bad9bf 76662 b81e40 free 76614->76662 76615 bada94 76668 b81e40 free 76615->76668 76617 bada17 76665 b81e40 free 76617->76665 76621 bad9c7 76663 b81e40 free 76621->76663 76622 bada9c 76669 b81e40 free 76622->76669 76623 b82da9 2 API calls 76623->76629 76626 bad9cf 76627 bc04d2 5 API calls 76627->76629 76629->76615 76629->76623 76629->76627 76666 b81524 malloc _CxxThrowException __EH_prolog ctype 76629->76666 76667 b81e40 free 76629->76667 76632 badad1 __EH_prolog 76631->76632 76633 b82e04 2 API calls 76632->76633 76634 badb33 76633->76634 76635 b82e04 2 API calls 76634->76635 76636 badb3f 76635->76636 76637 b82e04 2 API calls 76636->76637 76638 badb55 76637->76638 76638->76603 76640 b8631f 9 API calls 76639->76640 76641 b86414 76640->76641 76642 b86423 76641->76642 76643 b82f88 3 API calls 76641->76643 76644 b82f88 3 API calls 76642->76644 76643->76642 76645 b8643d 76644->76645 76646 b97e5a 76645->76646 76647 b97e64 __EH_prolog 76646->76647 76670 b98179 76647->76670 76650 ba7ebb free 76651 b97e7f 76650->76651 76652 b82fec 3 API calls 76651->76652 76653 b97e9a 76652->76653 76654 b82da9 2 API calls 76653->76654 76655 b97ea7 76654->76655 76656 b86c72 44 API calls 76655->76656 76657 b97eb7 76656->76657 76675 b81e40 free 76657->76675 76659 b97ecb 76660 b97ed8 76659->76660 76676 b8757d GetLastError 76659->76676 76660->76610 76660->76614 76662->76621 76663->76626 76664->76617 76665->76626 76666->76629 76667->76629 76668->76622 76669->76626 76673 b98906 76670->76673 76671 b97e77 76671->76650 76673->76671 76677 b98804 free ctype 76673->76677 76678 b81e40 free 76673->76678 76675->76659 76676->76660 76677->76673 76678->76673 76679 bad3c2 76680 bad3e9 76679->76680 76681 b8965d VariantClear 76680->76681 76682 bad42a 76681->76682 76683 bad883 2 API calls 76682->76683 76684 bad4b1 76683->76684 76770 ba8d4a 76684->76770 76687 ba8b05 VariantClear 76689 bad4e3 76687->76689 76688 ba2a72 2 API calls 76690 bad54c 76688->76690 76689->76688 76691 b82fec 3 API calls 76690->76691 76692 bad594 76691->76692 76693 bad5cd 76692->76693 76694 bad742 76692->76694 76695 bad7d9 76693->76695 76787 ba9317 76693->76787 76802 bacd49 malloc _CxxThrowException free 76694->76802 76805 b81e40 free 76695->76805 76699 bad754 76702 b82fec 3 API calls 76699->76702 76700 bad7e1 76806 b81e40 free 76700->76806 76703 bad763 76702->76703 76803 b81e40 free 76703->76803 76705 bad5f1 76708 bc04d2 5 API calls 76705->76708 76707 bad7e9 76710 ba326b free 76707->76710 76711 bad5f9 76708->76711 76709 bad76b 76804 b81e40 free 76709->76804 76722 bad69a 76710->76722 76793 bae332 76711->76793 76714 bad773 76716 ba326b free 76714->76716 76716->76722 76718 bad610 76800 b81e40 free 76718->76800 76720 bad618 76721 ba326b free 76720->76721 76723 bad2a8 76721->76723 76723->76722 76745 bad883 76723->76745 76726 b82fec 3 API calls 76727 bad361 76726->76727 76728 b82fec 3 API calls 76727->76728 76729 bad36d 76728->76729 76757 bad0e1 76729->76757 76731 bad380 76732 bad38a 76731->76732 76733 bad665 76731->76733 76734 bc04d2 5 API calls 76732->76734 76735 bad68b 76733->76735 76801 bacd49 malloc _CxxThrowException free 76733->76801 76737 bad392 76734->76737 76736 ba326b free 76735->76736 76736->76722 76739 bae332 2 API calls 76737->76739 76741 bad3a1 76739->76741 76740 bad67c 76742 b82fec 3 API calls 76740->76742 76743 ba326b free 76741->76743 76742->76735 76744 bad3b0 76743->76744 76746 bad88d __EH_prolog 76745->76746 76747 b82e04 2 API calls 76746->76747 76748 bad8c6 76747->76748 76749 b82e04 2 API calls 76748->76749 76750 bad8d2 76749->76750 76751 b82e04 2 API calls 76750->76751 76752 bad8de 76751->76752 76753 ba2b63 2 API calls 76752->76753 76754 bad8fa 76753->76754 76755 ba2b63 2 API calls 76754->76755 76756 bad34f 76755->76756 76756->76726 76758 bad0eb __EH_prolog 76757->76758 76759 bad10b 76758->76759 76760 bad138 76758->76760 76761 b81e0c ctype 2 API calls 76759->76761 76762 b81e0c ctype 2 API calls 76760->76762 76769 bad112 76760->76769 76761->76769 76763 bad14b 76762->76763 76764 b82fec 3 API calls 76763->76764 76765 bad17b 76764->76765 76807 b87b41 28 API calls 76765->76807 76767 bad18a 76767->76769 76808 b8757d GetLastError 76767->76808 76769->76731 76777 ba8d54 __EH_prolog 76770->76777 76771 ba8e09 76773 b8965d VariantClear 76771->76773 76772 ba8e15 76774 ba8e2d 76772->76774 76775 ba8e5e 76772->76775 76779 ba8e21 76772->76779 76778 ba8e11 76773->76778 76774->76775 76776 ba8e2b 76774->76776 76780 b8965d VariantClear 76775->76780 76782 b8965d VariantClear 76776->76782 76785 ba8da4 76777->76785 76809 b82b55 malloc _CxxThrowException free _CxxThrowException ctype 76777->76809 76778->76687 76810 b83097 malloc _CxxThrowException free SysStringLen ctype 76779->76810 76780->76778 76784 ba8e47 76782->76784 76784->76778 76811 ba8e7c 6 API calls __EH_prolog 76784->76811 76785->76771 76785->76772 76785->76778 76791 ba9321 __EH_prolog 76787->76791 76788 ba9360 76789 b8965d VariantClear 76788->76789 76790 ba93d0 76789->76790 76790->76695 76790->76705 76791->76788 76812 b89686 VariantClear 76791->76812 76794 bae33c __EH_prolog 76793->76794 76795 b81e0c ctype 2 API calls 76794->76795 76796 bae34a 76795->76796 76797 bad608 76796->76797 76813 bae3d1 malloc _CxxThrowException __EH_prolog 76796->76813 76799 b81e40 free 76797->76799 76799->76718 76800->76720 76801->76740 76802->76699 76803->76709 76804->76714 76805->76700 76806->76707 76807->76767 76808->76769 76809->76785 76810->76776 76811->76778 76812->76788 76813->76797 76814 b8b144 76815 b8b153 76814->76815 76817 b8b159 76814->76817 76816 b911b4 107 API calls 76815->76816 76816->76817 76818 baa7c5 76826 baa96b 76818->76826 76838 baa7e9 76818->76838 76819 baade3 76923 b81e40 free 76819->76923 76821 baa952 76821->76826 76904 bae0b0 6 API calls 76821->76904 76822 baadeb 76924 b81e40 free 76822->76924 76826->76819 76827 baac1e 76826->76827 76853 baac6c 76826->76853 76865 baad88 76826->76865 76869 baad17 76826->76869 76871 baacbc 76826->76871 76885 b9101c 76826->76885 76888 ba98f2 76826->76888 76894 bacc6f 76826->76894 76905 ba9531 5 API calls __EH_prolog 76826->76905 76906 ba80c1 malloc _CxxThrowException __EH_prolog 76826->76906 76907 bac820 5 API calls 2 library calls 76826->76907 76908 ba814d 6 API calls 76826->76908 76909 ba8125 free ctype 76826->76909 76910 b81e40 free 76827->76910 76828 baae99 76829 b81e0c ctype 2 API calls 76828->76829 76833 baaea9 memset memset 76829->76833 76832 bc04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76835 baadf3 76832->76835 76836 baaedd 76833->76836 76834 baac26 76911 b81e40 free 76834->76911 76835->76828 76835->76832 76925 b81e40 free 76836->76925 76838->76821 76844 bc04d2 5 API calls 76838->76844 76903 bae0b0 6 API calls 76838->76903 76841 baaee5 76926 b81e40 free 76841->76926 76844->76838 76845 baaef0 76927 b81e40 free 76845->76927 76849 bac430 76929 b81e40 free 76849->76929 76850 baac2e 76928 b81e40 free 76850->76928 76852 bac438 76930 b81e40 free 76852->76930 76912 b81e40 free 76853->76912 76857 bac443 76931 b81e40 free 76857->76931 76858 baac85 76913 b81e40 free 76858->76913 76861 bac44e 76932 b81e40 free 76861->76932 76863 bac459 76920 ba8125 free ctype 76865->76920 76917 ba8125 free ctype 76869->76917 76870 baad93 76921 b81e40 free 76870->76921 76914 ba8125 free ctype 76871->76914 76875 baacc7 76915 b81e40 free 76875->76915 76876 baad3c 76918 b81e40 free 76876->76918 76877 baadac 76922 b81e40 free 76877->76922 76881 baace0 76916 b81e40 free 76881->76916 76882 baad55 76919 b81e40 free 76882->76919 76887 b8b95a 6 API calls 76885->76887 76886 b91028 76886->76826 76887->76886 76889 ba98fc __EH_prolog 76888->76889 76933 ba9987 76889->76933 76891 ba9970 76891->76826 76892 ba9911 76892->76891 76937 baef8d 12 API calls 2 library calls 76892->76937 76977 bc5505 76894->76977 76981 bccf91 76894->76981 76989 bcf445 76894->76989 76895 bacc8b 76896 bacccb 76895->76896 76995 ba979e VariantClear __EH_prolog 76895->76995 76896->76826 76898 baccb1 76898->76896 76996 bacae9 VariantClear 76898->76996 76903->76838 76904->76826 76905->76826 76906->76826 76907->76826 76908->76826 76909->76826 76910->76834 76911->76850 76912->76858 76913->76850 76914->76875 76915->76881 76916->76850 76917->76876 76918->76882 76919->76850 76920->76870 76921->76877 76922->76850 76923->76822 76924->76835 76925->76841 76926->76845 76927->76850 76928->76849 76929->76852 76930->76857 76931->76861 76932->76863 76934 ba9991 __EH_prolog 76933->76934 76938 bd80aa 76934->76938 76935 ba99a8 76935->76892 76937->76891 76939 bd80b4 __EH_prolog 76938->76939 76940 b81e0c ctype 2 API calls 76939->76940 76941 bd80bf 76940->76941 76942 bd80d3 76941->76942 76944 bcbdb5 76941->76944 76942->76935 76945 bcbdbf __EH_prolog 76944->76945 76950 bcbe69 76945->76950 76947 bcbdef 76948 b82e04 2 API calls 76947->76948 76949 bcbe16 76948->76949 76949->76942 76951 bcbe73 __EH_prolog 76950->76951 76954 bc5e2b 76951->76954 76953 bcbe7f 76953->76947 76955 bc5e35 __EH_prolog 76954->76955 76960 bc08b6 76955->76960 76957 bc5e41 76965 b9dfc9 malloc _CxxThrowException __EH_prolog 76957->76965 76959 bc5e57 76959->76953 76966 b89c60 76960->76966 76962 bc08c4 76971 b89c8f GetModuleHandleA GetProcAddress 76962->76971 76964 bc08f3 __aulldiv 76964->76957 76965->76959 76976 b89c4d GetCurrentProcess GetProcessAffinityMask 76966->76976 76968 b89c6e 76969 b89c80 GetSystemInfo 76968->76969 76970 b89c79 76968->76970 76969->76962 76970->76962 76972 b89cef GlobalMemoryStatus 76971->76972 76973 b89cc4 GlobalMemoryStatusEx 76971->76973 76974 b89d08 76972->76974 76973->76972 76975 b89cce 76973->76975 76974->76975 76975->76964 76976->76968 76978 bc550f __EH_prolog 76977->76978 76997 bc4e8a 76978->76997 76982 bccf9b __EH_prolog 76981->76982 76983 bcf445 14 API calls 76982->76983 76984 bcd018 76983->76984 76988 bcd01f 76984->76988 77213 bd1511 76984->77213 76986 bcd08b 76986->76988 77219 bd2c5d 11 API calls 2 library calls 76986->77219 76988->76895 76990 bcf455 76989->76990 77345 b91092 76990->77345 76993 bcf478 76993->76895 76995->76898 76996->76896 76998 bc4e94 __EH_prolog 76997->76998 76999 b82e04 2 API calls 76998->76999 77100 bc4f1d 76998->77100 77000 bc4ed7 76999->77000 77129 b97fc5 77000->77129 77002 bc4f0a 77004 b8965d VariantClear 77002->77004 77003 bc4f37 77005 bc4f41 77003->77005 77006 bc4f63 77003->77006 77007 bc4f15 77004->77007 77008 b8965d VariantClear 77005->77008 77009 b82f88 3 API calls 77006->77009 77150 b81e40 free 77007->77150 77011 bc4f4c 77008->77011 77012 bc4f71 77009->77012 77151 b81e40 free 77011->77151 77013 b8965d VariantClear 77012->77013 77015 bc4f80 77013->77015 77152 b95bcf malloc _CxxThrowException 77015->77152 77017 bc4f9a 77018 b82e47 2 API calls 77017->77018 77019 bc4fad 77018->77019 77020 b82f1c 2 API calls 77019->77020 77021 bc4fbd 77020->77021 77022 b82e04 2 API calls 77021->77022 77023 bc4fd1 77022->77023 77024 b82e04 2 API calls 77023->77024 77031 bc4fdd 77024->77031 77025 bc5404 77191 b81e40 free 77025->77191 77027 bc540c 77192 b81e40 free 77027->77192 77029 bc5414 77193 b81e40 free 77029->77193 77031->77025 77153 b95bcf malloc _CxxThrowException 77031->77153 77033 bc5099 77035 b82da9 2 API calls 77033->77035 77034 bc541c 77194 b81e40 free 77034->77194 77037 bc50a9 77035->77037 77039 b82fec 3 API calls 77037->77039 77038 bc5424 77195 b81e40 free 77038->77195 77041 bc50b6 77039->77041 77154 b81e40 free 77041->77154 77042 bc542c 77196 b81e40 free 77042->77196 77045 bc50be 77155 b81e40 free 77045->77155 77047 bc50cd 77048 b82f88 3 API calls 77047->77048 77049 bc50e3 77048->77049 77050 bc5100 77049->77050 77051 bc50f1 77049->77051 77156 b83044 malloc _CxxThrowException free ctype 77050->77156 77052 b830ea 3 API calls 77051->77052 77054 bc50fe 77052->77054 77157 b91029 6 API calls 77054->77157 77056 bc511a 77057 bc516b 77056->77057 77058 bc5120 77056->77058 77164 b9089e malloc _CxxThrowException free _CxxThrowException memcpy 77057->77164 77158 b81e40 free 77058->77158 77061 bc5187 77065 bc04d2 5 API calls 77061->77065 77062 bc5128 77159 b81e40 free 77062->77159 77064 bc5130 77160 b81e40 free 77064->77160 77066 bc51ba 77065->77066 77165 bc0516 malloc _CxxThrowException ctype 77066->77165 77069 bc5138 77161 b81e40 free 77069->77161 77071 bc51c5 77076 bc522d 77071->77076 77077 bc51f5 77071->77077 77072 bc5140 77162 b81e40 free 77072->77162 77074 bc5148 77163 b81e40 free 77074->77163 77078 b82e04 2 API calls 77076->77078 77166 b81e40 free 77077->77166 77126 bc5235 77078->77126 77080 bc51fd 77167 b81e40 free 77080->77167 77083 bc5205 77168 b81e40 free 77083->77168 77084 bc532e 77177 b81e40 free 77084->77177 77087 bc520d 77169 b81e40 free 77087->77169 77088 bc5347 77088->77025 77091 bc5358 77088->77091 77090 bc5215 77170 b81e40 free 77090->77170 77178 b81e40 free 77091->77178 77094 bc53a3 77184 b81e40 free 77094->77184 77095 bc521d 77171 b81e40 free 77095->77171 77096 bc5360 77179 b81e40 free 77096->77179 77100->76895 77101 bc5368 77180 b81e40 free 77101->77180 77103 bc53bc 77185 b81e40 free 77103->77185 77105 bc5370 77181 b81e40 free 77105->77181 77109 bc53c4 77186 b81e40 free 77109->77186 77110 bc5378 77182 b81e40 free 77110->77182 77112 bc04d2 5 API calls 77112->77126 77114 bc53cc 77187 b81e40 free 77114->77187 77115 bc5380 77183 b81e40 free 77115->77183 77119 bc53d4 77188 b81e40 free 77119->77188 77121 bc53dc 77189 b81e40 free 77121->77189 77123 bc53e4 77190 b81e40 free 77123->77190 77126->77084 77126->77094 77126->77112 77127 b82e04 2 API calls 77126->77127 77172 bc545c 5 API calls 2 library calls 77126->77172 77173 b91029 6 API calls 77126->77173 77174 b9089e malloc _CxxThrowException free _CxxThrowException memcpy 77126->77174 77175 bc0516 malloc _CxxThrowException ctype 77126->77175 77176 b81e40 free 77126->77176 77127->77126 77130 b97fcf __EH_prolog 77129->77130 77132 b97ff4 77130->77132 77133 b9805c 77130->77133 77134 b98061 77130->77134 77135 b98019 77130->77135 77143 b9800a 77132->77143 77197 b8950d 77132->77197 77205 b89630 VariantClear 77133->77205 77134->77133 77147 b98025 77134->77147 77135->77132 77136 b9801e 77135->77136 77139 b98042 77136->77139 77140 b98022 77136->77140 77138 b980b8 77142 b8965d VariantClear 77138->77142 77203 b89597 VariantClear 77139->77203 77144 b98032 77140->77144 77140->77147 77146 b980c0 77142->77146 77206 b89736 VariantClear 77143->77206 77202 b89604 VariantClear 77144->77202 77146->77002 77146->77003 77147->77143 77204 b895df VariantClear 77147->77204 77150->77100 77151->77100 77152->77017 77153->77033 77154->77045 77155->77047 77156->77054 77157->77056 77158->77062 77159->77064 77160->77069 77161->77072 77162->77074 77163->77100 77164->77061 77165->77071 77166->77080 77167->77083 77168->77087 77169->77090 77170->77095 77171->77100 77172->77126 77173->77126 77174->77126 77175->77126 77176->77126 77177->77088 77178->77096 77179->77101 77180->77105 77181->77110 77182->77115 77183->77100 77184->77103 77185->77109 77186->77114 77187->77119 77188->77121 77189->77123 77190->77100 77191->77027 77192->77029 77193->77034 77194->77038 77195->77042 77196->77100 77207 b89767 77197->77207 77199 b89518 SysAllocStringLen 77200 b89539 _CxxThrowException 77199->77200 77201 b8954f 77199->77201 77200->77201 77201->77143 77202->77143 77203->77143 77204->77143 77205->77143 77206->77138 77208 b89779 77207->77208 77209 b89770 77207->77209 77212 b89686 VariantClear 77208->77212 77209->77199 77211 b89780 77211->77199 77212->77211 77214 bd151b __EH_prolog 77213->77214 77220 bd10d3 77214->77220 77217 bd1589 77217->76986 77218 bd1552 _CxxThrowException 77218->76986 77218->77217 77219->76988 77221 bd10dd __EH_prolog 77220->77221 77222 bcd1b7 free 77221->77222 77227 bd10f2 77222->77227 77223 bd12ef 77223->77217 77223->77218 77224 bd11f4 77224->77223 77251 b8b95a 6 API calls 77224->77251 77225 bd139e 77225->77223 77226 bd13c4 77225->77226 77228 b81e0c ctype 2 API calls 77225->77228 77252 b91168 77226->77252 77227->77223 77227->77224 77230 b91168 10 API calls 77227->77230 77228->77226 77230->77224 77231 bd13de 77296 b81e40 free 77231->77296 77233 bd13da 77233->77231 77235 bd13f9 77233->77235 77290 bcef67 _CxxThrowException 77233->77290 77255 bcf047 77235->77255 77238 bd14ba 77294 bd0943 50 API calls 2 library calls 77238->77294 77239 bd1450 77259 bd06ae 77239->77259 77243 bd14e7 77295 bb2db9 free ctype 77243->77295 77247 bd148e 77248 bcf047 _CxxThrowException 77247->77248 77249 bd14ac 77248->77249 77249->77238 77293 bcef67 _CxxThrowException 77249->77293 77251->77225 77253 b9111c 10 API calls 77252->77253 77254 b9117b 77253->77254 77254->77233 77256 bcf063 77255->77256 77257 bcf072 77256->77257 77297 bcef67 _CxxThrowException 77256->77297 77257->77238 77257->77239 77291 bcef67 _CxxThrowException 77257->77291 77260 bd06b8 __EH_prolog 77259->77260 77298 bd03f4 77260->77298 77262 bd0715 77263 b912a5 5 API calls 77262->77263 77267 bd08e3 _CxxThrowException 77262->77267 77270 bd08f7 77262->77270 77271 b8429a 3 API calls 77262->77271 77275 b81e0c ctype 2 API calls 77262->77275 77285 bc81ec 29 API calls 77262->77285 77288 bcef67 _CxxThrowException 77262->77288 77289 bd0877 77262->77289 77263->77262 77264 bcb8dc ctype free 77265 bd08a6 77264->77265 77328 b81e40 free 77265->77328 77267->77270 77268 bd08ae 77329 b81e40 free 77268->77329 77273 bcb8dc ctype free 77270->77273 77271->77262 77272 bd08b6 77330 b81e40 free 77272->77330 77274 bd0914 77273->77274 77332 b81e40 free 77274->77332 77275->77262 77278 bd08be 77331 bcc149 free ctype 77278->77331 77279 bd091c 77333 b81e40 free 77279->77333 77282 bd08d0 77282->77243 77282->77247 77292 bcef67 _CxxThrowException 77282->77292 77283 bd0924 77334 b81e40 free 77283->77334 77285->77262 77286 bd092c 77335 bcc149 free ctype 77286->77335 77288->77262 77289->77264 77290->77235 77291->77239 77292->77247 77293->77238 77294->77243 77295->77231 77296->77223 77297->77257 77299 bcf047 _CxxThrowException 77298->77299 77300 bd0407 77299->77300 77302 bd0475 77300->77302 77304 bcf047 _CxxThrowException 77300->77304 77301 bd049a 77303 bd04b8 77301->77303 77340 bd159a malloc _CxxThrowException free ctype 77301->77340 77302->77301 77339 bcfa3f 22 API calls 2 library calls 77302->77339 77307 bd04e8 77303->77307 77312 bd04cd 77303->77312 77305 bd0421 77304->77305 77308 bd043e 77305->77308 77336 bcef67 _CxxThrowException 77305->77336 77342 bd7c4a malloc _CxxThrowException free ctype 77307->77342 77337 bcf93c 7 API calls 2 library calls 77308->77337 77309 bd0492 77313 bcf047 _CxxThrowException 77309->77313 77341 bcfff0 9 API calls 2 library calls 77312->77341 77313->77301 77317 bd04db 77318 bcf047 _CxxThrowException 77317->77318 77322 bd04e3 77318->77322 77319 bd04f3 77319->77322 77343 b9089e malloc _CxxThrowException free _CxxThrowException memcpy 77319->77343 77320 bd046d 77323 bcf047 _CxxThrowException 77320->77323 77321 bd0446 77321->77320 77338 bcef67 _CxxThrowException 77321->77338 77324 bd054a 77322->77324 77344 bcef67 _CxxThrowException 77322->77344 77323->77302 77324->77262 77328->77268 77329->77272 77330->77278 77331->77282 77332->77279 77333->77283 77334->77286 77335->77282 77336->77308 77337->77321 77338->77320 77339->77309 77340->77303 77341->77317 77342->77319 77343->77319 77344->77324 77347 b8b95a 6 API calls 77345->77347 77346 b910aa 77346->76993 77348 bcf1b2 77346->77348 77347->77346 77349 bcf1bc __EH_prolog 77348->77349 77350 b91168 10 API calls 77349->77350 77352 bcf1d3 77350->77352 77351 bcf1e6 77351->76993 77352->77351 77353 bcf21c _CxxThrowException 77352->77353 77354 bcf231 memcpy 77352->77354 77353->77354 77355 bcf24c 77354->77355 77355->77351 77356 bcf2f0 memmove 77355->77356 77357 bcf31a memcpy 77355->77357 77356->77355 77357->77351 77358 bc0343 77363 bc035f 77358->77363 77361 bc0358 77364 bc0369 __EH_prolog 77363->77364 77380 b9139e 77364->77380 77369 bc0143 ctype free 77370 bc039a 77369->77370 77390 b81e40 free 77370->77390 77372 bc03a2 77391 b81e40 free 77372->77391 77374 bc03aa 77392 bc03d8 77374->77392 77379 b81e40 free 77379->77361 77381 b913ae 77380->77381 77383 b913b3 77380->77383 77408 c17ea0 SetEvent GetLastError 77381->77408 77384 bc01c4 77383->77384 77385 bc01ce __EH_prolog 77384->77385 77388 bc0203 77385->77388 77410 b81e40 free 77385->77410 77387 bc020b 77387->77369 77409 b81e40 free 77388->77409 77390->77372 77391->77374 77393 bc03e2 __EH_prolog 77392->77393 77394 b9139e ctype 2 API calls 77393->77394 77395 bc03fb 77394->77395 77411 c17d50 77395->77411 77397 bc0403 77398 c17d50 ctype 2 API calls 77397->77398 77399 bc040b 77398->77399 77400 c17d50 ctype 2 API calls 77399->77400 77401 bc03b7 77400->77401 77402 bc004a 77401->77402 77403 bc0054 __EH_prolog 77402->77403 77417 b81e40 free 77403->77417 77405 bc0067 77418 b81e40 free 77405->77418 77407 bc006f 77407->77361 77407->77379 77408->77383 77409->77387 77410->77385 77412 c17d59 CloseHandle 77411->77412 77413 c17d7b 77411->77413 77414 c17d75 77412->77414 77415 c17d64 GetLastError 77412->77415 77413->77397 77414->77413 77415->77413 77416 c17d6e 77415->77416 77416->77397 77417->77405 77418->77407
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BC81F1
                                • Part of subcall function 00BCF749: _CxxThrowException.MSVCRT(?,00C34A58), ref: 00BCF792
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrow
                              • String ID:
                              • API String ID: 461045715-3916222277
                              • Opcode ID: 3b24c2c0a83dcda8028c46630cd80ee26fd5533aa3174cbf6a07649ea2dc7544
                              • Instruction ID: 298469db53d33c513afc52ca75c68d880ec02c82f1180ed402fcba994d54a802
                              • Opcode Fuzzy Hash: 3b24c2c0a83dcda8028c46630cd80ee26fd5533aa3174cbf6a07649ea2dc7544
                              • Instruction Fuzzy Hash: AB926A30900249DFDB15DFA8C884FAEBBF1EF58304F24449DE855AB2A2CB71AD45CB61
                              APIs
                              • __EH_prolog.LIBCMT ref: 00B8686D
                                • Part of subcall function 00B86848: FindClose.KERNELBASE(00000000,?,00B86880), ref: 00B86853
                              • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00B868A5
                              • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00B868DE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: Find$FileFirst$CloseH_prolog
                              • String ID:
                              • API String ID: 3371352514-0
                              • Opcode ID: 7b2c147dc5c99c544b40c9deff5504a47f0f51184b2234dabea6215e624994bc
                              • Instruction ID: bb85b5c473c37ac184d749eb9495e409ac0ea7eed8fb5abab6f24c9d9dacf5f7
                              • Opcode Fuzzy Hash: 7b2c147dc5c99c544b40c9deff5504a47f0f51184b2234dabea6215e624994bc
                              • Instruction Fuzzy Hash: 2F1190315002099BCF14FF64D8929EDB7F9EF50324F1046AAE965571A1DB318E86DB40

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 bba013-bba01a 1 bba37a-bba544 call bc04d2 call b81524 call bc04d2 call b81524 call b81e0c 0->1 2 bba020-bba02d call b91ac8 0->2 60 bba551 1->60 61 bba546-bba54f call bbb0fa 1->61 8 bba22e-bba235 2->8 9 bba033-bba03a 2->9 10 bba23b-bba24d call bbb4f6 8->10 11 bba367-bba375 call bbb55f 8->11 13 bba03c-bba042 9->13 14 bba054-bba089 call bb92d3 9->14 26 bba259-bba2fb call ba7ebb call b827bb call b826dd call ba3d70 call bbad99 call b827bb 10->26 27 bba24f-bba253 10->27 25 bbac23-bbac2a 11->25 13->14 18 bba044-bba04f call b830ea 13->18 29 bba08b-bba091 14->29 30 bba099 14->30 18->14 32 bbac3a-bbac66 call bbb96d call b81e40 call ba3247 25->32 33 bbac2c-bbac33 25->33 92 bba2fd 26->92 93 bba303-bba362 call bbb6ab call bb2db9 call b81e40 * 2 call bbbff8 26->93 27->26 29->30 36 bba093-bba097 29->36 31 bba09d-bba0de call b82fec call bbb369 30->31 56 bba0ea-bba0fa 31->56 57 bba0e0-bba0e4 31->57 70 bbac68-bbac6a 32->70 71 bbac6e-bbacb5 call b81e40 call b811c2 call bbbe0c call bb2db9 32->71 33->32 38 bbac35 33->38 36->31 43 bbac35 call bbb988 38->43 43->32 62 bba10d 56->62 63 bba0fc-bba102 56->63 57->56 67 bba553-bba55c 60->67 61->67 69 bba114-bba19e call b82fec call ba7ebb call bbad99 62->69 63->62 68 bba104-bba10b 63->68 75 bba55e-bba560 67->75 76 bba564-bba5c1 call b82fec call bbb277 67->76 68->69 101 bba1a2 call baf8e0 69->101 70->71 75->76 99 bba5cd-bba652 call bbad06 call bbbf3e call b93a29 call b82e04 call ba4345 76->99 100 bba5c3-bba5c7 76->100 92->93 93->25 136 bba676-bba6c8 call ba2096 99->136 137 bba654-bba671 call ba375c call bbb96d 99->137 100->99 106 bba1a7-bba1b1 101->106 110 bba1b3-bba1bb call bbc7d7 106->110 111 bba1c0-bba1c9 106->111 110->111 116 bba1cb 111->116 117 bba1d1-bba229 call bbb6ab call bb2db9 call b81e40 call bbbfa4 call bb940b 111->117 116->117 117->25 144 bba6cd-bba6d6 136->144 137->136 145 bba6d8-bba6dd call bbc7d7 144->145 146 bba6e2-bba6e5 144->146 145->146 150 bba72e-bba73a 146->150 151 bba6e7-bba6ee 146->151 154 bba79e-bba7aa 150->154 155 bba73c-bba74a call b81fa0 150->155 152 bba722-bba725 151->152 153 bba6f0-bba71d call b81fa0 fputs call b81fa0 call b81fb3 call b81fa0 151->153 152->150 160 bba727 152->160 153->152 158 bba7d9-bba7e5 154->158 159 bba7ac-bba7b2 154->159 166 bba74c-bba753 155->166 167 bba755-bba799 fputs call b82201 call b81fa0 fputs call b82201 call b81fa0 155->167 162 bba818-bba81a 158->162 163 bba7e7-bba7ed 158->163 159->158 165 bba7b4-bba7d4 fputs call b82201 call b81fa0 159->165 160->150 168 bba899-bba8a5 162->168 171 bba81c-bba82b 162->171 163->168 169 bba7f3-bba813 fputs call b82201 call b81fa0 163->169 165->158 166->154 166->167 167->154 175 bba8e9-bba8ed 168->175 176 bba8a7-bba8ad 168->176 169->162 178 bba82d-bba84c fputs call b82201 call b81fa0 171->178 179 bba851-bba85d 171->179 184 bba8ef 175->184 189 bba8f6-bba8f8 175->189 176->184 185 bba8af-bba8c2 call b81fa0 176->185 178->179 179->168 188 bba85f-bba872 call b81fa0 179->188 184->189 185->184 211 bba8c4-bba8e4 fputs call b82201 call b81fa0 185->211 188->168 206 bba874-bba894 fputs call b82201 call b81fa0 188->206 190 bbaaaf-bbaaeb call ba43b3 call b81e40 call bbc104 call bbad82 189->190 191 bba8fe-bba90a 189->191 247 bbac0b-bbac1e call bb2db9 * 2 190->247 248 bbaaf1-bbaaf7 190->248 200 bbaa73-bbaa89 call b81fa0 191->200 201 bba910-bba91f 191->201 200->190 223 bbaa8b-bbaaaa fputs call b82201 call b81fa0 200->223 201->200 208 bba925-bba929 201->208 206->168 208->190 214 bba92f-bba93d 208->214 211->175 220 bba96a-bba971 214->220 221 bba93f-bba964 fputs call b82201 call b81fa0 214->221 228 bba98f-bba9a8 fputs call b82201 220->228 229 bba973-bba97a 220->229 221->220 223->190 237 bba9ad-bba9bd call b81fa0 228->237 229->228 234 bba97c-bba982 229->234 234->228 240 bba984-bba98d 234->240 245 bbaa06-bbaa1f fputs call b82201 237->245 250 bba9bf-bbaa01 fputs call b82201 call b81fa0 fputs call b82201 call b81fa0 237->250 240->228 240->245 252 bbaa24-bbaa29 call b81fa0 245->252 247->25 248->247 250->245 259 bbaa2e-bbaa4b fputs call b82201 252->259 262 bbaa50-bbaa5b call b81fa0 259->262 262->190 268 bbaa5d-bbaa71 call b81fa0 call bb710e 262->268 268->190
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$ExceptionThrow
                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                              • API String ID: 3665150552-429544124
                              • Opcode ID: 8a90fee34aaccf9f5ea80069bfb6e4ecbe7b3e126c2648c407bc572b04dabd3e
                              • Instruction ID: 576122beb4878e06451ee1d329e26cfa403e4518667275a5fd7ca8920b1249b6
                              • Opcode Fuzzy Hash: 8a90fee34aaccf9f5ea80069bfb6e4ecbe7b3e126c2648c407bc572b04dabd3e
                              • Instruction Fuzzy Hash: 22525731D052589FCF2AEBA4C895BEDBBF5AF54304F1440DAE44A632A1DBB06A85CF11

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 274 bba42c-bba433 275 bba449-bba4df call bb545d call b82e04 call ba1858 call b81e40 274->275 276 bba435-bba444 fputs call b81fa0 274->276 286 bba4ee-bba4f1 275->286 287 bba4e1-bba4e9 call bbc7d7 275->287 276->275 289 bba50e-bba520 call bbc73e 286->289 290 bba4f3-bba4fa 286->290 287->286 295 bbac0b-bbac2a call bb2db9 * 2 289->295 296 bba526-bba544 call b81e0c 289->296 290->289 291 bba4fc-bba509 call bb57fb 290->291 291->289 306 bbac3a-bbac66 call bbb96d call b81e40 call ba3247 295->306 307 bbac2c-bbac33 295->307 304 bba551 296->304 305 bba546-bba54f call bbb0fa 296->305 309 bba553-bba55c 304->309 305->309 327 bbac68-bbac6a 306->327 328 bbac6e-bbacb5 call b81e40 call b811c2 call bbbe0c call bb2db9 306->328 307->306 310 bbac35 call bbb988 307->310 313 bba55e-bba560 309->313 314 bba564-bba5c1 call b82fec call bbb277 309->314 310->306 313->314 325 bba5cd-bba652 call bbad06 call bbbf3e call b93a29 call b82e04 call ba4345 314->325 326 bba5c3-bba5c7 314->326 348 bba676-bba6d6 call ba2096 325->348 349 bba654-bba671 call ba375c call bbb96d 325->349 326->325 327->328 354 bba6d8-bba6dd call bbc7d7 348->354 355 bba6e2-bba6e5 348->355 349->348 354->355 358 bba72e-bba73a 355->358 359 bba6e7-bba6ee 355->359 362 bba79e-bba7aa 358->362 363 bba73c-bba74a call b81fa0 358->363 360 bba722-bba725 359->360 361 bba6f0-bba71d call b81fa0 fputs call b81fa0 call b81fb3 call b81fa0 359->361 360->358 368 bba727 360->368 361->360 366 bba7d9-bba7e5 362->366 367 bba7ac-bba7b2 362->367 374 bba74c-bba753 363->374 375 bba755-bba799 fputs call b82201 call b81fa0 fputs call b82201 call b81fa0 363->375 370 bba818-bba81a 366->370 371 bba7e7-bba7ed 366->371 367->366 373 bba7b4-bba7d4 fputs call b82201 call b81fa0 367->373 368->358 376 bba899-bba8a5 370->376 379 bba81c-bba82b 370->379 371->376 377 bba7f3-bba813 fputs call b82201 call b81fa0 371->377 373->366 374->362 374->375 375->362 383 bba8e9-bba8ed 376->383 384 bba8a7-bba8ad 376->384 377->370 386 bba82d-bba84c fputs call b82201 call b81fa0 379->386 387 bba851-bba85d 379->387 392 bba8ef 383->392 397 bba8f6-bba8f8 383->397 384->392 393 bba8af-bba8c2 call b81fa0 384->393 386->387 387->376 396 bba85f-bba872 call b81fa0 387->396 392->397 393->392 419 bba8c4-bba8e4 fputs call b82201 call b81fa0 393->419 396->376 414 bba874-bba894 fputs call b82201 call b81fa0 396->414 398 bbaaaf-bbaaeb call ba43b3 call b81e40 call bbc104 call bbad82 397->398 399 bba8fe-bba90a 397->399 398->295 455 bbaaf1-bbaaf7 398->455 408 bbaa73-bbaa89 call b81fa0 399->408 409 bba910-bba91f 399->409 408->398 431 bbaa8b-bbaaaa fputs call b82201 call b81fa0 408->431 409->408 416 bba925-bba929 409->416 414->376 416->398 422 bba92f-bba93d 416->422 419->383 428 bba96a-bba971 422->428 429 bba93f-bba964 fputs call b82201 call b81fa0 422->429 436 bba98f-bba9a8 fputs call b82201 428->436 437 bba973-bba97a 428->437 429->428 431->398 445 bba9ad-bba9bd call b81fa0 436->445 437->436 442 bba97c-bba982 437->442 442->436 448 bba984-bba98d 442->448 453 bbaa06-bbaa4b fputs call b82201 call b81fa0 fputs call b82201 445->453 457 bba9bf-bbaa01 fputs call b82201 call b81fa0 fputs call b82201 call b81fa0 445->457 448->436 448->453 466 bbaa50-bbaa5b call b81fa0 453->466 455->295 457->453 466->398 472 bbaa5d-bbaa71 call b81fa0 call bb710e 466->472 472->398
                              APIs
                              • fputs.MSVCRT(Scanning the drive for archives:), ref: 00BBA43E
                                • Part of subcall function 00B81FA0: fputc.MSVCRT ref: 00B81FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputcfputs
                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                              • API String ID: 269475090-3104439828
                              • Opcode ID: 67420cc5a6f0ea0a02bea878f0e728544e56548e055a432b749f21b5fb88028e
                              • Instruction ID: e436bba14010d704226f4a492cba41412e8594bc6a3da0e70384850763bc1b89
                              • Opcode Fuzzy Hash: 67420cc5a6f0ea0a02bea878f0e728544e56548e055a432b749f21b5fb88028e
                              • Instruction Fuzzy Hash: 7E225931D052589FDF2AEBA4C895BEDBBF5EF54300F1444DAE44A622A1DBB06E84CF11

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 777 bb8012-bb8032 call c1fb10 780 bb8038-bb806c fputs call bb8341 777->780 781 bb8285 777->781 785 bb80c8-bb80cd 780->785 786 bb806e-bb8071 780->786 782 bb8287-bb8295 781->782 787 bb80cf-bb80d4 785->787 788 bb80d6-bb80df 785->788 789 bb808b-bb808d 786->789 790 bb8073-bb8089 fputs call b81fa0 786->790 793 bb80e2-bb8110 call bb8341 call bb8622 787->793 788->793 791 bb808f-bb8094 789->791 792 bb8096-bb809f 789->792 790->785 796 bb80a2-bb80c7 call b82e47 call bb85c6 call b81e40 791->796 792->796 804 bb811e-bb812f call bb8565 793->804 805 bb8112-bb8119 call bb831f 793->805 796->785 804->782 812 bb8135-bb813f 804->812 805->804 813 bb814d-bb815b 812->813 814 bb8141-bb8148 call bb82bb 812->814 813->782 817 bb8161-bb8164 813->817 814->813 818 bb81b6-bb81c0 817->818 819 bb8166-bb8186 817->819 820 bb8276-bb827f 818->820 821 bb81c6-bb81e1 fputs 818->821 823 bb8298-bb829d 819->823 824 bb818c-bb8196 call bb8565 819->824 820->780 820->781 821->820 827 bb81e7-bb81fb 821->827 828 bb82b1-bb82b9 SysFreeString 823->828 829 bb819b-bb819d 824->829 830 bb81fd-bb821f 827->830 831 bb8273 827->831 828->782 829->823 832 bb81a3-bb81b4 SysFreeString 829->832 834 bb829f-bb82a1 830->834 835 bb8221-bb8245 830->835 831->820 832->818 832->819 836 bb82ae 834->836 838 bb82a3-bb82ab call b8965d 835->838 839 bb8247-bb8271 call bb84a7 call b8965d SysFreeString 835->839 836->828 838->836 839->830 839->831
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BB8017
                              • fputs.MSVCRT ref: 00BB804D
                                • Part of subcall function 00BB8341: __EH_prolog.LIBCMT ref: 00BB8346
                                • Part of subcall function 00BB8341: fputs.MSVCRT ref: 00BB835B
                                • Part of subcall function 00BB8341: fputs.MSVCRT ref: 00BB8364
                              • fputs.MSVCRT ref: 00BB807A
                                • Part of subcall function 00B81FA0: fputc.MSVCRT ref: 00B81FA7
                                • Part of subcall function 00B8965D: VariantClear.OLEAUT32(?), ref: 00B8967F
                              • SysFreeString.OLEAUT32(00000000), ref: 00BB81AA
                              • fputs.MSVCRT ref: 00BB81CD
                              • SysFreeString.OLEAUT32(00000000), ref: 00BB8267
                              • SysFreeString.OLEAUT32(00000000), ref: 00BB82B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                              • String ID: --$----$Path$Type$Warning: The archive is open with offset
                              • API String ID: 2889736305-3797937567
                              • Opcode ID: e47b9755f8dc646a7b14c65b27bf189f8717d53d1b859d5dfc5d12f980c5e6f5
                              • Instruction ID: ef54c826749354182e8f94bfb6afca1244ccae55168eaf80778676d366dec415
                              • Opcode Fuzzy Hash: e47b9755f8dc646a7b14c65b27bf189f8717d53d1b859d5dfc5d12f980c5e6f5
                              • Instruction Fuzzy Hash: C2914971A00609EFDB14EFA4D985AFEB7F9FF48350F1041A9E412A7691DBB0AD06CB50

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 846 bb6766-bb6792 call c1fb10 EnterCriticalSection 849 bb67af-bb67b7 846->849 850 bb6794-bb6799 call bbc7d7 846->850 852 bb67b9 call b81f91 849->852 853 bb67be-bb67c3 849->853 854 bb679e-bb67ac 850->854 852->853 856 bb67c9-bb67d5 853->856 857 bb6892-bb68a8 853->857 854->849 858 bb6817-bb682f 856->858 859 bb67d7-bb67dd 856->859 860 bb68ae-bb68b4 857->860 861 bb6941 857->861 862 bb6873-bb687b 858->862 863 bb6831-bb6842 call b81fa0 858->863 859->858 865 bb67df-bb67eb 859->865 860->861 866 bb68ba-bb68c2 860->866 864 bb6943-bb695a 861->864 868 bb6933-bb693f call bbc5cd 862->868 869 bb6881-bb6887 862->869 863->862 880 bb6844-bb686c fputs call b82201 863->880 870 bb67ed 865->870 871 bb67f3-bb6801 865->871 866->868 872 bb68c4-bb68e6 call b81fa0 fputs 866->872 868->864 869->868 875 bb688d 869->875 870->871 871->862 877 bb6803-bb6815 fputs 871->877 884 bb68fb-bb6917 call b94f2a call b81fb3 call b81e40 872->884 885 bb68e8-bb68f9 fputs 872->885 881 bb692e call b81f91 875->881 883 bb686e call b81fa0 877->883 880->883 881->868 883->862 889 bb691c-bb6928 call b81fa0 884->889 885->889 889->881
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BB676B
                              • EnterCriticalSection.KERNEL32(00C42938), ref: 00BB6781
                              • fputs.MSVCRT ref: 00BB680B
                              • LeaveCriticalSection.KERNEL32(00C42938), ref: 00BB6944
                                • Part of subcall function 00BBC7D7: fputs.MSVCRT ref: 00BBC840
                              • fputs.MSVCRT ref: 00BB6851
                                • Part of subcall function 00B82201: fputs.MSVCRT ref: 00B8221E
                              • fputs.MSVCRT ref: 00BB68D9
                              • fputs.MSVCRT ref: 00BB68F6
                                • Part of subcall function 00B81FA0: fputc.MSVCRT ref: 00B81FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                              • String ID: v$Sub items Errors:
                              • API String ID: 2670240366-2468115448
                              • Opcode ID: 84f833f2811c46dde3a370e05d8f0c1f7be79e76371b6ce4e350cb13cc08b4a0
                              • Instruction ID: cd3ad1721c32a5f7cecb8fbb1e1f1976c8756ab009f7fbb465e5aa5007c5c89b
                              • Opcode Fuzzy Hash: 84f833f2811c46dde3a370e05d8f0c1f7be79e76371b6ce4e350cb13cc08b4a0
                              • Instruction Fuzzy Hash: 64519A31601600CFCB25AF64D895BFEB7E2FF88310F5448AEE29A87661CB746C46CB50

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 898 bb6359-bb6373 call c1fb10 901 bb639e-bb63af call bb5a4d 898->901 902 bb6375-bb6385 call bbc7d7 898->902 907 bb65ee-bb65f1 901->907 908 bb63b5-bb63cd 901->908 902->901 909 bb6387-bb639b 902->909 912 bb65f3-bb65fb 907->912 913 bb6624-bb663c 907->913 910 bb63cf 908->910 911 bb63d2-bb63d4 908->911 909->901 910->911 916 bb63df-bb63e7 911->916 917 bb63d6-bb63d9 911->917 918 bb66ea call bbc5cd 912->918 919 bb6601-bb6607 call bb8012 912->919 914 bb663e call b81f91 913->914 915 bb6643-bb664b 913->915 914->915 915->918 922 bb6651-bb668f fputs call b8211a call b81fa0 call bb8685 915->922 923 bb63e9-bb63f2 call b81fa0 916->923 924 bb6411-bb6413 916->924 917->916 921 bb64b1-bb64bc call bb6700 917->921 930 bb66ef-bb66fd 918->930 933 bb660c-bb660e 919->933 944 bb64be-bb64c1 921->944 945 bb64c7-bb64cf 921->945 922->930 987 bb6691-bb6697 922->987 923->924 949 bb63f4-bb640c call b8210c call b81fa0 923->949 931 bb6442-bb6446 924->931 932 bb6415-bb641d 924->932 938 bb6448-bb6450 931->938 939 bb6497-bb649f 931->939 934 bb642a-bb643b 932->934 935 bb641f-bb6425 call bb6134 932->935 933->930 936 bb6614-bb661f call b81fa0 933->936 934->931 935->934 936->918 946 bb647f-bb6490 938->946 947 bb6452-bb647a fputs call b81fa0 call b81fb3 call b81fa0 938->947 939->921 950 bb64a1-bb64ac call b81fa0 call b81f91 939->950 944->945 952 bb65a2-bb65a6 944->952 953 bb64f9-bb64fb 945->953 954 bb64d1-bb64da call b81fa0 945->954 946->939 947->946 949->924 950->921 959 bb65da-bb65e6 952->959 960 bb65a8-bb65b6 952->960 965 bb652a-bb652e 953->965 966 bb64fd-bb6505 953->966 954->953 984 bb64dc-bb64f4 call b8210c call b81fa0 954->984 959->908 975 bb65ec 959->975 969 bb65b8-bb65ca call bb6244 960->969 970 bb65d3 960->970 971 bb657f-bb6587 965->971 972 bb6530-bb6538 965->972 978 bb6512-bb6523 966->978 979 bb6507-bb650d call bb6134 966->979 969->970 997 bb65cc-bb65ce call b81f91 969->997 970->959 971->952 986 bb6589-bb6595 call b81fa0 971->986 982 bb653a-bb6562 fputs call b81fa0 call b81fb3 call b81fa0 972->982 983 bb6567-bb6578 972->983 975->907 978->965 979->978 982->983 983->971 984->953 986->952 1007 bb6597-bb659d call b81f91 986->1007 993 bb6699-bb669f 987->993 994 bb66df-bb66e5 call b81f91 987->994 995 bb66b3-bb66ce call b94f2a call b81fb3 call b81e40 993->995 996 bb66a1-bb66b1 fputs 993->996 994->918 1002 bb66d3-bb66da call b81fa0 995->1002 996->1002 997->970 1002->994 1007->952
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BB635E
                              • fputs.MSVCRT ref: 00BB645F
                                • Part of subcall function 00BBC7D7: fputs.MSVCRT ref: 00BBC840
                              • fputs.MSVCRT ref: 00BB6547
                              • fputs.MSVCRT ref: 00BB665F
                              • fputs.MSVCRT ref: 00BB66AE
                                • Part of subcall function 00B81F91: fflush.MSVCRT ref: 00B81F93
                                • Part of subcall function 00B81FB3: __EH_prolog.LIBCMT ref: 00B81FB8
                                • Part of subcall function 00B81E40: free.MSVCRT ref: 00B81E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog$fflushfree
                              • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                              • API String ID: 1750297421-1898165966
                              • Opcode ID: c8510a1c2164dd2e7e732213d4c2bb7ce751caa200cecfc2c43d4212123f65e4
                              • Instruction ID: 0c90c16b413909df8a5f2e5be1480457f1788a87132ad41ef063e4f20a93b248
                              • Opcode Fuzzy Hash: c8510a1c2164dd2e7e732213d4c2bb7ce751caa200cecfc2c43d4212123f65e4
                              • Instruction Fuzzy Hash: B0B15E306027058FDB24EF64C9A1BFAB7E5FF44304F0449ADE65A572A2CBB8AD45CB50

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1565 b86c72-b86c8e call c1fb10 1568 b86c90-b86c94 1565->1568 1569 b86c96-b86c9e 1565->1569 1568->1569 1570 b86cd3-b86cdc call b88664 1568->1570 1571 b86ca0-b86ca4 1569->1571 1572 b86ca6-b86cae 1569->1572 1578 b86ce2-b86d02 call b867f0 call b82f88 call b887df 1570->1578 1579 b86d87-b86d92 call b888c6 1570->1579 1571->1570 1571->1572 1572->1570 1573 b86cb0-b86cb5 1572->1573 1573->1570 1575 b86cb7-b86cce call b867f0 call b82f88 1573->1575 1591 b8715d-b8715f 1575->1591 1602 b86d4a-b86d61 call b87b41 1578->1602 1603 b86d04-b86d09 1578->1603 1586 b86d98-b86d9e 1579->1586 1587 b86f4c-b86f62 call b887fa 1579->1587 1586->1587 1590 b86da4-b86dc7 call b82e47 * 2 1586->1590 1600 b86f64-b86f66 1587->1600 1601 b86f67-b86f74 call b885e2 1587->1601 1612 b86dc9-b86dcf 1590->1612 1613 b86dd4-b86dda 1590->1613 1594 b87118-b87126 1591->1594 1600->1601 1614 b86fd1-b86fd8 1601->1614 1615 b86f76-b86f7c 1601->1615 1618 b86d63-b86d65 1602->1618 1619 b86d67-b86d6b 1602->1619 1603->1602 1606 b86d0b-b86d38 call b89252 1603->1606 1606->1602 1627 b86d3a-b86d45 1606->1627 1612->1613 1620 b86ddc-b86def call b82407 1613->1620 1621 b86df1-b86df9 call b83221 1613->1621 1622 b86fda-b86fde 1614->1622 1623 b86fe4-b86feb 1614->1623 1615->1614 1616 b86f7e-b86f8a call b86bf5 1615->1616 1633 b870e5-b870ea call b86868 1616->1633 1643 b86f90-b86f93 1616->1643 1628 b86d7a-b86d82 call b8764c 1618->1628 1629 b86d78 1619->1629 1630 b86d6d-b86d75 1619->1630 1620->1621 1634 b86dfe-b86e0b call b887df 1620->1634 1621->1634 1622->1623 1622->1633 1624 b8701d-b87024 call b88782 1623->1624 1625 b86fed-b86ff7 call b86bf5 1623->1625 1624->1633 1651 b8702a-b87035 1624->1651 1625->1633 1649 b86ffd-b87000 1625->1649 1627->1591 1647 b87116 1628->1647 1629->1628 1630->1629 1645 b870ef-b870f3 1633->1645 1655 b86e0d-b86e10 1634->1655 1656 b86e43-b86e50 call b86c72 1634->1656 1643->1633 1650 b86f99-b86fb6 call b867f0 call b82f88 1643->1650 1652 b8710c 1645->1652 1653 b870f5-b870f7 1645->1653 1647->1594 1649->1633 1657 b87006-b8701b call b867f0 1649->1657 1685 b86fb8-b86fbd 1650->1685 1686 b86fc2-b86fc5 call b8717b 1650->1686 1651->1633 1659 b8703b-b87044 call b88578 1651->1659 1654 b8710e-b87111 call b86848 1652->1654 1653->1652 1660 b870f9-b87102 1653->1660 1654->1647 1662 b86e1e-b86e36 call b867f0 1655->1662 1663 b86e12-b86e15 1655->1663 1680 b86f3a-b86f4b call b81e40 * 2 1656->1680 1681 b86e56 1656->1681 1676 b86fca-b86fcc 1657->1676 1659->1633 1679 b8704a-b87054 call b8717b 1659->1679 1660->1652 1668 b87104-b87107 call b8717b 1660->1668 1682 b86e58-b86e7e call b82f1c call b82e04 1662->1682 1684 b86e38-b86e41 call b82fec 1662->1684 1663->1656 1669 b86e17-b86e1c 1663->1669 1668->1652 1669->1656 1669->1662 1676->1654 1693 b87064-b87097 call b82e47 call b81089 * 2 call b86868 1679->1693 1694 b87056-b8705f call b82f88 1679->1694 1680->1587 1681->1682 1703 b86e83-b86e99 call b86bb5 1682->1703 1684->1682 1685->1686 1686->1676 1727 b87099-b870af wcscmp 1693->1727 1728 b870bf-b870cc call b86bf5 1693->1728 1705 b87155-b87158 call b86848 1694->1705 1711 b86e9b-b86e9f 1703->1711 1712 b86ecf-b86ed1 1703->1712 1705->1591 1715 b86ea1-b86eae call b822bf 1711->1715 1716 b86ec7-b86ec9 SetLastError 1711->1716 1714 b86f09-b86f35 call b81e40 * 2 call b86848 call b81e40 * 2 1712->1714 1714->1647 1725 b86eb0-b86ec5 call b81e40 call b82e04 1715->1725 1726 b86ed3-b86ed9 1715->1726 1716->1712 1725->1703 1730 b86edb-b86ee0 1726->1730 1731 b86eec-b86f07 call b831e5 1726->1731 1734 b870bb 1727->1734 1735 b870b1-b870b6 1727->1735 1742 b87129-b87133 call b867f0 1728->1742 1743 b870ce-b870d1 1728->1743 1730->1731 1737 b86ee2-b86ee8 1730->1737 1731->1714 1734->1728 1741 b87147-b87154 call b82f88 call b81e40 1735->1741 1737->1731 1741->1705 1760 b8713a 1742->1760 1761 b87135-b87138 1742->1761 1748 b870d8-b870e4 call b81e40 1743->1748 1749 b870d3-b870d6 1743->1749 1748->1633 1749->1742 1749->1748 1764 b87141-b87144 1760->1764 1761->1764 1764->1741
                              APIs
                              • __EH_prolog.LIBCMT ref: 00B86C77
                              • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00B86EC9
                                • Part of subcall function 00B86C72: wcscmp.MSVCRT ref: 00B870A5
                                • Part of subcall function 00B86BF5: __EH_prolog.LIBCMT ref: 00B86BFA
                                • Part of subcall function 00B86BF5: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 00B86C1A
                                • Part of subcall function 00B86BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00B86C49
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                              • String ID: :$DATA
                              • API String ID: 3316598575-2587938151
                              • Opcode ID: 7273a7842988aaeffcb571487290a15d46e44c4ba4b4c5d0c5df1ecea8420264
                              • Instruction ID: 6124786cad57cd0c3cb80b0fd3eb0b880f3b2a8cb16c09dce454a684b7e3486e
                              • Opcode Fuzzy Hash: 7273a7842988aaeffcb571487290a15d46e44c4ba4b4c5d0c5df1ecea8420264
                              • Instruction Fuzzy Hash: 96E1F4709006099ACF25FFA4C895BEDB7F1EF14318F2045A9E8456B2F1DF70A949CB51
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: e5487198a5e0d51365105fd2e93bc66b3a012f28e8ed332c7e0556f34277213f
                              • Instruction ID: 7ee5ee5997c3de1dbe0b854dcf7edbb3a9ff4ebddfbb76aee4189d6637b204e8
                              • Opcode Fuzzy Hash: e5487198a5e0d51365105fd2e93bc66b3a012f28e8ed332c7e0556f34277213f
                              • Instruction Fuzzy Hash: 59218E32904118EBCF19FB94E952BEDBBF9EF58310F2000AAE401721A1DFB16E45DB94
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BB8346
                              • fputs.MSVCRT ref: 00BB835B
                              • fputs.MSVCRT ref: 00BB8364
                                • Part of subcall function 00BB83BF: __EH_prolog.LIBCMT ref: 00BB83C4
                                • Part of subcall function 00BB83BF: fputs.MSVCRT ref: 00BB8401
                                • Part of subcall function 00BB83BF: fputs.MSVCRT ref: 00BB8437
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: 4bcc4441c1df8a01aba1717b78ac9a7323734685909eebc8454d769d6bbb56a6
                              • Instruction ID: dd3b0fb97d9f481447e21f1e59e0e99f4b9ffe7a16162c018b4411e71b86495b
                              • Opcode Fuzzy Hash: 4bcc4441c1df8a01aba1717b78ac9a7323734685909eebc8454d769d6bbb56a6
                              • Instruction Fuzzy Hash: 8A018631A04014ABCF15BBA8D852BEDBBF9EF84750F00445AF501621B1CF754A56DBD5
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BA209B
                                • Part of subcall function 00B8757D: GetLastError.KERNEL32(00B8D14C), ref: 00B8757D
                                • Part of subcall function 00BA2C6C: __EH_prolog.LIBCMT ref: 00BA2C71
                                • Part of subcall function 00B81E40: free.MSVCRT ref: 00B81E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID: Cannot find archive file$The item is a directory
                              • API String ID: 683690243-1569138187
                              • Opcode ID: a0ae3f775fcb96cf5e390a05e95fb5dd126a49c45735435ed2c1e2a3c4fe7b78
                              • Instruction ID: 8b51beb88c522e79ab01cc73a427d13a77a5b3a6d6e16eaec896e05492f6751b
                              • Opcode Fuzzy Hash: a0ae3f775fcb96cf5e390a05e95fb5dd126a49c45735435ed2c1e2a3c4fe7b78
                              • Instruction Fuzzy Hash: 1F722270905258DFCB25DFA8C984BDEBBF5AF5A300F1440DAE859A7262CB709E81CF51
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: CountTickfputs
                              • String ID: .
                              • API String ID: 290905099-4150638102
                              • Opcode ID: 88c327a96defa517c49f7a5cb5c23563ac798362cef95fe1ea66b0c8fd9ffe3c
                              • Instruction ID: 94a96071a0dac1f4264e27398fa5366fd3a8d377757d84b633eb1195badebea8
                              • Opcode Fuzzy Hash: 88c327a96defa517c49f7a5cb5c23563ac798362cef95fe1ea66b0c8fd9ffe3c
                              • Instruction Fuzzy Hash: 0F712530600B089FDB35EB68C591ABEBBF6EF81700F00489DE49797A51DBB0B945CB11
                              APIs
                                • Part of subcall function 00B89C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00B89CB3
                                • Part of subcall function 00B89C8F: GetProcAddress.KERNEL32(00000000), ref: 00B89CBA
                                • Part of subcall function 00B89C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00B89CC8
                              • __aulldiv.LIBCMT ref: 00BC093F
                              • __aulldiv.LIBCMT ref: 00BC094B
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                              • String ID: 3333
                              • API String ID: 3520896023-2924271548
                              • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction ID: efffb9989965ae251f94508860db193ec71971654d7c28d9f261ebb4d0daa111
                              • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction Fuzzy Hash: 0A21CCB0A00704AFE730EF6D8881F5FFAFDEB85750F14896EB18AD3242D67099409B65
                              APIs
                                • Part of subcall function 00B81E40: free.MSVCRT ref: 00B81E44
                              • memset.MSVCRT ref: 00BAAEBA
                              • memset.MSVCRT ref: 00BAAECD
                                • Part of subcall function 00BC04D2: _CxxThrowException.MSVCRT(?,00C34A58), ref: 00BC04F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: memset$ExceptionThrowfree
                              • String ID: Split
                              • API String ID: 1404239998-1882502421
                              • Opcode ID: b526fd6829f7b46ccb3d6804cda57929d587d87869c0f8e26ff8730aaf6246cd
                              • Instruction ID: 6faa16f45a16c5ee227493bdf7a4637fbe1e2af57c219da9e25774285878bbde
                              • Opcode Fuzzy Hash: b526fd6829f7b46ccb3d6804cda57929d587d87869c0f8e26ff8730aaf6246cd
                              • Instruction Fuzzy Hash: BC423A30A08249DFDF25DBA4C984BADBBF5EF0A314F1440E9E449A7251CB35AE85CB21
                              APIs
                              • __EH_prolog.LIBCMT ref: 00B8609B
                                • Part of subcall function 00B86BF5: __EH_prolog.LIBCMT ref: 00B86BFA
                                • Part of subcall function 00B86BF5: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 00B86C1A
                                • Part of subcall function 00B86BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00B86C49
                              • DeleteFileW.KERNELBASE(?,?,?,00000000), ref: 00B860DF
                              • DeleteFileW.KERNEL32(?,00000000,?,?,00000000), ref: 00B86111
                                • Part of subcall function 00B85A8C: __EH_prolog.LIBCMT ref: 00B85A91
                                • Part of subcall function 00B85A8C: SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00B85AB7
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: File$AttributesH_prolog$Delete
                              • String ID:
                              • API String ID: 579516761-0
                              • Opcode ID: b72577de6ccfa7eb0beb3b55a172cfeda0226cf74a04e80a7f0a3a3ea827a5c3
                              • Instruction ID: dfdfdc5e30cacdbd8dd7bc838dd71521efb528069a89ca627c804901f4e3c9cf
                              • Opcode Fuzzy Hash: b72577de6ccfa7eb0beb3b55a172cfeda0226cf74a04e80a7f0a3a3ea827a5c3
                              • Instruction Fuzzy Hash: D0110832A0021557CF19B6B494C67BD6BEADF813A4F1415E6DD11A32F3CE218C46D790
                              APIs
                              • fputs.MSVCRT ref: 00BB8437
                              • fputs.MSVCRT ref: 00BB8401
                                • Part of subcall function 00B81FB3: __EH_prolog.LIBCMT ref: 00B81FB8
                              • __EH_prolog.LIBCMT ref: 00BB83C4
                                • Part of subcall function 00B81FA0: fputc.MSVCRT ref: 00B81FA7
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs$fputc
                              • String ID:
                              • API String ID: 678540050-0
                              • Opcode ID: b3eaac3d226229e7830efd79fed3efbb334a5c22a1b190218f472cb06a19e52d
                              • Instruction ID: c0b76fafc4832fc348d293051a90cc2678f8968022ec7c70a7efb7cae2bac892
                              • Opcode Fuzzy Hash: b3eaac3d226229e7830efd79fed3efbb334a5c22a1b190218f472cb06a19e52d
                              • Instruction Fuzzy Hash: 3E118631B051155BCF05BBA4E9136AEBBF9DF44750F00046DF501926B1DF651942C7D4
                              APIs
                              • __EH_prolog.LIBCMT ref: 00B86BFA
                              • GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 00B86C1A
                                • Part of subcall function 00B81E40: free.MSVCRT ref: 00B81E44
                              • GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00B86C49
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFile$H_prologfree
                              • String ID:
                              • API String ID: 86656847-0
                              • Opcode ID: 17f010e938e64cffd65f554c9eec8a7a6ba89850eed0f7e70079b2b4bd35a378
                              • Instruction ID: 249ad0d9e81bd5eb62958914c6a1fa997fa041a5964d3e0fe39b9b15ea348032
                              • Opcode Fuzzy Hash: 17f010e938e64cffd65f554c9eec8a7a6ba89850eed0f7e70079b2b4bd35a378
                              • Instruction Fuzzy Hash: E101F432A0010497CF1577F8E8C26BEBBE9EF55370F1006AAF911A22E1CE714C46EB90
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BA2CE0
                                • Part of subcall function 00B85E10: __EH_prolog.LIBCMT ref: 00B85E15
                                • Part of subcall function 00B941EC: _CxxThrowException.MSVCRT(?,00C34A58), ref: 00B9421A
                                • Part of subcall function 00B8965D: VariantClear.OLEAUT32(?), ref: 00B8967F
                              Strings
                              • Cannot create output directory, xrefs: 00BA3070
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ClearExceptionThrowVariant
                              • String ID: Cannot create output directory
                              • API String ID: 814188403-1181934277
                              • Opcode ID: db09771e8acc3869ab2a8d251045e5aea69971aa96d84ecfa963be7570f980fd
                              • Instruction ID: 42f54d17aaabca750f94252ba384a97af5f91a5526744f9c55a5271c3c5b192a
                              • Opcode Fuzzy Hash: db09771e8acc3869ab2a8d251045e5aea69971aa96d84ecfa963be7570f980fd
                              • Instruction Fuzzy Hash: B8F18E309092899FCF25EFA8C990AEEBBF5FF1A300F1444E9E44567252DB319E45CB51
                              APIs
                              • fputs.MSVCRT ref: 00BBC840
                                • Part of subcall function 00B825CB: _CxxThrowException.MSVCRT(?,00C34A58), ref: 00B825ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs
                              • String ID:
                              • API String ID: 1334390793-399585960
                              • Opcode ID: e97864558fb8319e1b846f190016ee02150df4aafc137055167db561189645e9
                              • Instruction ID: 335dd0c4b2a90d197f7594c8911bacaac13dd02db032fb01d3c75eba8325adca
                              • Opcode Fuzzy Hash: e97864558fb8319e1b846f190016ee02150df4aafc137055167db561189645e9
                              • Instruction Fuzzy Hash: 1D11C1716047449FDB25CF59C8D1BAAFBE6EF49304F0444AEE1868B251CBB1BD04CBA0
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Open
                              • API String ID: 1795875747-71445658
                              • Opcode ID: e5cd573b1dfb067cd55e72b15c3763cfc6d90b55c79c5dedbce9ed957327ec4e
                              • Instruction ID: 87864487c7ffbd16e8453dbf337ecc1489bbaaea240e85d3cbc55eb1d500de06
                              • Opcode Fuzzy Hash: e5cd573b1dfb067cd55e72b15c3763cfc6d90b55c79c5dedbce9ed957327ec4e
                              • Instruction Fuzzy Hash: 741173315057049FC720EF38D992AEABBE5EF54310F50897EE15A83112DA75AD05CF50
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BD06B3
                              • _CxxThrowException.MSVCRT(?,00C3D480), ref: 00BD08F2
                                • Part of subcall function 00B81E0C: malloc.MSVCRT ref: 00B81E1F
                                • Part of subcall function 00B81E0C: _CxxThrowException.MSVCRT(?,00C34B28), ref: 00B81E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prologmalloc
                              • String ID:
                              • API String ID: 3044594480-0
                              • Opcode ID: 6f97f9284002948332248c54e40d0a5c89add1639b1ecf8f0e5ab4a9570362be
                              • Instruction ID: 39d45382e3c91c6193e9459fb17b4c4f11c2c7cff7e6d4464d5af15dd39480f3
                              • Opcode Fuzzy Hash: 6f97f9284002948332248c54e40d0a5c89add1639b1ecf8f0e5ab4a9570362be
                              • Instruction Fuzzy Hash: CD913871D00249DFCB21EFA8C881AEEBBF5AF09304F1440AAE459A7252D731AE45DF61
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 694d374565f686ad1eefa4c125342e5a9d97d5d82e645f8ebf9fddd0c3e39e79
                              • Instruction ID: 00dfe548b9ea1b9614eb658bffbf50cf8130f6853a41f8e8f56ce8c75995dd13
                              • Opcode Fuzzy Hash: 694d374565f686ad1eefa4c125342e5a9d97d5d82e645f8ebf9fddd0c3e39e79
                              • Instruction Fuzzy Hash: 52F1BB70A05789DFCF21DF64C490AAABBE1FF25304F5448BEE49A9B211D730AD44CB51
                              APIs
                              • __EH_prolog.LIBCMT ref: 00B94255
                                • Part of subcall function 00B9440B: __EH_prolog.LIBCMT ref: 00B94410
                                • Part of subcall function 00B81E0C: malloc.MSVCRT ref: 00B81E1F
                                • Part of subcall function 00B81E0C: _CxxThrowException.MSVCRT(?,00C34B28), ref: 00B81E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: cc2e0605e27a3473869a5c2eeafeaf7ce3743fb0631923c218fc4b4c54b402ac
                              • Instruction ID: 6f1a9c0280b9f6c2a008fbaf5f9e5f8f1aa4d0d5001c39fedeed09b1b5d4f4ca
                              • Opcode Fuzzy Hash: cc2e0605e27a3473869a5c2eeafeaf7ce3743fb0631923c218fc4b4c54b402ac
                              • Instruction Fuzzy Hash: 3B51F8B0401744CFC725DF69C1846DAFBF0BF29304F5588AED49A97B62D7B0A608CB61
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9e8c9db77e76180aa0f4a256c45273cc8d9a9b30c752d097911102a9e10f8e32
                              • Instruction ID: 3fe7dbb1aaa76942234060e78d905afcb310d5703342dfc6a13acea63087e79f
                              • Opcode Fuzzy Hash: 9e8c9db77e76180aa0f4a256c45273cc8d9a9b30c752d097911102a9e10f8e32
                              • Instruction Fuzzy Hash: FD31F9B0914209DFCB14EF99C8A18EEBBF5FF96364F20859DE42667251C7309E41CBA0
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BA021F
                                • Part of subcall function 00B93D66: __EH_prolog.LIBCMT ref: 00B93D6B
                                • Part of subcall function 00B93D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00B93D7D
                                • Part of subcall function 00B93D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00B93D94
                                • Part of subcall function 00B93D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00B93DB6
                                • Part of subcall function 00B93D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00B93DCB
                                • Part of subcall function 00B93D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00B93DD5
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID:
                              • API String ID: 1532160333-0
                              • Opcode ID: 132539b2d1ea4525d13364556353ba32faf1b3e7e4abe98e10c3cda86981db4a
                              • Instruction ID: 0dcccc0bb7b008ffa4c56d3296d33103529388a8b8241c67be9cf821e15e077d
                              • Opcode Fuzzy Hash: 132539b2d1ea4525d13364556353ba32faf1b3e7e4abe98e10c3cda86981db4a
                              • Instruction Fuzzy Hash: 67214AB1946B90CFC321CF6A82D0686FFF4BF19604B9499AEC0DA83B12C370A548CF55
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BBC0B8
                                • Part of subcall function 00BA7193: __EH_prolog.LIBCMT ref: 00BA7198
                                • Part of subcall function 00B81E40: free.MSVCRT ref: 00B81E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 9126f6f6fa90ee1f710752e4bc7c9c66148cb77203529e55388b5c6744641a85
                              • Instruction ID: 3a64f1cbb40212c54351cbebf00c3034b438b92386a72d9c3bc38dc6f218b6c8
                              • Opcode Fuzzy Hash: 9126f6f6fa90ee1f710752e4bc7c9c66148cb77203529e55388b5c6744641a85
                              • Instruction Fuzzy Hash: EBF0B472A05612DBDB25EB49E8817EEF7EDEF55760F1001AFE801A7611CBF19C019690
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BC0364
                                • Part of subcall function 00BC01C4: __EH_prolog.LIBCMT ref: 00BC01C9
                                • Part of subcall function 00BC0143: __EH_prolog.LIBCMT ref: 00BC0148
                                • Part of subcall function 00B81E40: free.MSVCRT ref: 00B81E44
                                • Part of subcall function 00BC03D8: __EH_prolog.LIBCMT ref: 00BC03DD
                                • Part of subcall function 00BC004A: __EH_prolog.LIBCMT ref: 00BC004F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 123dbb3f0682e1a00f029ff9e214bcf54b706cdb5f51848aa887db54b64775b6
                              • Instruction ID: ee6b996650a72d1501e835d83087e4d1f9da5ddfac3175471581e40f1e82ba39
                              • Opcode Fuzzy Hash: 123dbb3f0682e1a00f029ff9e214bcf54b706cdb5f51848aa887db54b64775b6
                              • Instruction Fuzzy Hash: 1AF0F470929B50DFCB1AFBA8D42279DBBE4AF05314F144ADDF452632D2CBB45B049748
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: ce4be6e8589d2a1968280cdb46d0e36f84715ba6315f823b66066946ca1c6d17
                              • Instruction ID: 3c085d75c7cd0f6101b801295f7578935ff82fa7d14e93dc64ef14059c586995
                              • Opcode Fuzzy Hash: ce4be6e8589d2a1968280cdb46d0e36f84715ba6315f823b66066946ca1c6d17
                              • Instruction Fuzzy Hash: CEF0C272E0001AEBCB10EF98D8408FFBBB8FF54750B10819AF415E7250CB348A01CB90
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 95aeea355e893a4687b25262ce1553e14a9369899878ec0dfcf73c5135f93a0e
                              • Instruction ID: cb13dbb6389b9437fd42e5df9dfcf79d8e13ce0d44c622fa1ee69659afbb7a88
                              • Opcode Fuzzy Hash: 95aeea355e893a4687b25262ce1553e14a9369899878ec0dfcf73c5135f93a0e
                              • Instruction Fuzzy Hash: 86D01232504119ABCF156B98DC46CDD77BCEF0C214700441AF541E2160EA75E515C794
                              APIs
                              • __EH_prolog.LIBCMT ref: 00BD80AF
                                • Part of subcall function 00B81E0C: malloc.MSVCRT ref: 00B81E1F
                                • Part of subcall function 00B81E0C: _CxxThrowException.MSVCRT(?,00C34B28), ref: 00B81E39
                                • Part of subcall function 00BCBDB5: __EH_prolog.LIBCMT ref: 00BCBDBA
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 13584210742625986d2f0088bf0d7438bca7f264514136c3535f9c675e6a8896
                              • Instruction ID: bb69e21e1399892edcb3a874cbcffbef5bc729140a79f9132ef2883bb384f02a
                              • Opcode Fuzzy Hash: 13584210742625986d2f0088bf0d7438bca7f264514136c3535f9c675e6a8896
                              • Instruction Fuzzy Hash: DDD05B71B051015FCF08FFB4A41275E72E5EB44700F0045BDA016D3B81EF708901C610
                              APIs
                              • FindClose.KERNELBASE(00000000,?,00B86880), ref: 00B86853
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: CloseFind
                              • String ID:
                              • API String ID: 1863332320-0
                              • Opcode ID: df98868018307eb57472fa6360244cb1c8891ce6f54c1492632016af3c0c6d80
                              • Instruction ID: f367b260493f1861bfa7c1c44ea04c45213a5591f6e462a46bcabdf20f067599
                              • Opcode Fuzzy Hash: df98868018307eb57472fa6360244cb1c8891ce6f54c1492632016af3c0c6d80
                              • Instruction Fuzzy Hash: 53D01231114221468A746E7DB849AC933D8AE16334321079AF0B5C31F1D7608C839790
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 8a2b503296bf22be47d2f19c052c8847aab7e260b289cb3464690a64ef362f42
                              • Instruction ID: 04c09fd07808a1a61ec2aeda96e0f963f1e864dc0525b4692d534985c5e5d557
                              • Opcode Fuzzy Hash: 8a2b503296bf22be47d2f19c052c8847aab7e260b289cb3464690a64ef362f42
                              • Instruction Fuzzy Hash: 04D0C936008251AF96256F05EC0AC8FBBA5FFD9320721082FF480921709B626825DAA4
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: 0db305b7f92fd17a51a36588dbf02d5db321033b2387deb0fdb7667eda8fb21f
                              • Instruction ID: d28de3cb6aa38924bdc28b0e88636f20fe86c264391d3e271dac04b8fa08cb5f
                              • Opcode Fuzzy Hash: 0db305b7f92fd17a51a36588dbf02d5db321033b2387deb0fdb7667eda8fb21f
                              • Instruction Fuzzy Hash: 41812BB5D0424AAFCF14EFA8C484AEEBFF1EB58304F1484A9D911A7251D771AE80CB64
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction ID: 5b990d8bda39a818bb0ff522383e882d4cbdec4f346a957c5dc5f31e1392d368
                              • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction Fuzzy Hash: 89D0C9F161260907DF485E30484AA6A31942F5032EF2885BCA826CA2D1EB19C72AF298
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000), ref: 00C06B31
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 01c55870ce3576a5bb19e6a9f248e0dba4582d70403803175e829ef2b580ea4e
                              • Instruction ID: b8c81f167e3d0da540a7e09a66d66212ff3ee570f1015b6a4c0e42cbc1ad3800
                              • Opcode Fuzzy Hash: 01c55870ce3576a5bb19e6a9f248e0dba4582d70403803175e829ef2b580ea4e
                              • Instruction Fuzzy Hash: 3AC08CE1A4D280DFDF0213108C807643B209B83300F0A00C1E4046B092C2041809C722
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction ID: fb2385820b4c71bbcd3d49ef54e569a3ffb6673d0aa9ad700b32d71e2413a57b
                              • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction Fuzzy Hash: 0CA024C551104001FD1C35303C01477100013503077C004FC7405C0101F715C3157005
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction ID: 0d2d55ecbf9dbdefa1f882dca65a04d7592ee7e5253ae66abbb3d553f041c150
                              • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction Fuzzy Hash: EEA012CCF0000001ED0435343801463101222E07057D4C4B8640440105FB14C1157012
                              APIs
                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00C06BAC
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: 758233b5bcc14fce795f00b50ad76a000f06a4b88a1585375b96d6085254c668
                              • Instruction ID: 5b66426553f7021c95b7f1982f4614562c542ffc1afc1513a198c7ad79982dd2
                              • Opcode Fuzzy Hash: 758233b5bcc14fce795f00b50ad76a000f06a4b88a1585375b96d6085254c668
                              • Instruction Fuzzy Hash: 69A00278690700B7ED706730AD8FF5D37247780F45F3085447241694D05BE470459A9C
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction ID: cb44eef19cb3830b67b93da6054931387c41b1195ebf372569ca57610782bb30
                              • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction Fuzzy Hash:
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1736714308.0000000000B81000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00B80000, based on PE: true
                              • Associated: 00000009.00000002.1736629527.0000000000B80000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737084719.0000000000C2C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737332390.0000000000C42000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1737658490.0000000000C4B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_b80000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction ID: 5ac8a0e1a902985d73684da9187a6bd5e809fb6e2bde0937c899758305f9c37a
                              • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction Fuzzy Hash: