Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cVyexkZjrG.exe

Overview

General Information

Sample name:cVyexkZjrG.exe
renamed because original name is a hash value
Original sample name:5A3C5AA184E4FDB2DE4530C18ADB9B12FFC1A101C86CDE8DE13CE49D7A7A2B44.exe
Analysis ID:1580243
MD5:4e1927f742599f95f0d9450b4b8c2c80
SHA1:4bd20ceb48adb224d11eae63ce6f27cb974e321b
SHA256:5a3c5aa184e4fdb2de4530c18adb9b12ffc1a101c86cde8de13ce49d7a7a2b44
Tags:backdoorexesilverfoxuser-zhuzhu0009
Infos:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cVyexkZjrG.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\cVyexkZjrG.exe" MD5: 4E1927F742599F95F0D9450B4B8C2C80)
    • cVyexkZjrG.tmp (PID: 7364 cmdline: "C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp" /SL5="$10466,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" MD5: 0195248B8EBF37D072592944E7488FC4)
      • powershell.exe (PID: 7380 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7872 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • cVyexkZjrG.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT MD5: 4E1927F742599F95F0D9450B4B8C2C80)
        • cVyexkZjrG.tmp (PID: 7516 cmdline: "C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp" /SL5="$1048C,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT MD5: 0195248B8EBF37D072592944E7488FC4)
          • 7zr.exe (PID: 7652 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7740 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7620 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7636 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7856 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7880 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7896 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7936 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8036 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8096 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8156 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1596 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4588 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7268 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6528 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6816 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7496 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7620 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7728 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7720 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7844 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7864 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7920 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8100 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7428 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7488 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7412 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2140 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8172 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3168 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3320 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5480 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7684 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7780 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7888 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7452 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7608 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp" /SL5="$10466,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp, ParentProcessId: 7364, ParentProcessName: cVyexkZjrG.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7380, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7620, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7636, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp" /SL5="$10466,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp, ParentProcessId: 7364, ParentProcessName: cVyexkZjrG.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7380, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7620, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7636, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp" /SL5="$10466,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp, ParentProcessId: 7364, ParentProcessName: cVyexkZjrG.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7380, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 15%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 23%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\update.vacReversingLabs: Detection: 15%
Source: C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\update.vacReversingLabs: Detection: 15%
Multi AV Scanner detection for submitted file
Source: cVyexkZjrG.exeVirustotal: Detection: 8%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 83.8% probability
Source: cVyexkZjrG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: cVyexkZjrG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1709314834.0000000000490000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1709102654.0000000003190000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C72AEC0 FindFirstFileA,FindClose,FindClose,5_2_6C72AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_004C6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_004C7496
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: cVyexkZjrG.tmp, 00000001.00000003.1661875868.0000000003A10000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: cVyexkZjrG.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: cVyexkZjrG.exe, 00000000.00000003.1653138137.0000000003480000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.exe, 00000000.00000003.1653493826.000000007FB2B000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000001.00000000.1655048386.0000000000C81000.00000020.00000001.01000000.00000004.sdmp, cVyexkZjrG.tmp, 00000005.00000000.1666577750.000000000115D000.00000020.00000001.01000000.00000008.sdmp, cVyexkZjrG.tmp.4.dr, cVyexkZjrG.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: cVyexkZjrG.exe, 00000000.00000003.1653138137.0000000003480000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.exe, 00000000.00000003.1653493826.000000007FB2B000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000001.00000000.1655048386.0000000000C81000.00000020.00000001.01000000.00000004.sdmp, cVyexkZjrG.tmp, 00000005.00000000.1666577750.000000000115D000.00000020.00000001.01000000.00000008.sdmp, cVyexkZjrG.tmp.4.dr, cVyexkZjrG.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C5B3886
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C735120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,5_2_6C735120
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C5B3C62
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C735D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C735D60
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C5B3D62
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C5B3D18
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C5B39CF
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C5B3A6A
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B1950: CreateFileA,DeviceIoControl,CloseHandle,5_2_6C5B1950
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,5_2_6C5B4754
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B47545_2_6C5B4754
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5C4A275_2_6C5C4A27
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7318805_2_6C731880
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C736A435_2_6C736A43
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C796CE05_2_6C796CE0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7E3D505_2_6C7E3D50
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C782EC95_2_6C782EC9
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C768EA15_2_6C768EA1
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7E9E805_2_6C7E9E80
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7DE8105_2_6C7DE810
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7689725_2_6C768972
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7FA9305_2_6C7FA930
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7E99F05_2_6C7E99F0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7DFA505_2_6C7DFA50
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7DDAD05_2_6C7DDAD0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7E1AA05_2_6C7E1AA0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7F4AA05_2_6C7F4AA0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C780B665_2_6C780B66
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C770BCA5_2_6C770BCA
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C78540A5_2_6C78540A
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7EF5C05_2_6C7EF5C0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7E25805_2_6C7E2580
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7E96E05_2_6C7E96E0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C8097005_2_6C809700
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C76C7CF5_2_6C76C7CF
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7E00205_2_6C7E0020
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7F37505_2_6C7F3750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005081EC9_2_005081EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004DE00A9_2_004DE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005481C09_2_005481C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005582409_2_00558240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005422E09_2_005422E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005623009_2_00562300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055C3C09_2_0055C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005504C89_2_005504C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0052E49F9_2_0052E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005425F09_2_005425F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005386509_2_00538650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005366D09_2_005366D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0053A6A09_2_0053A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0053C9509_2_0053C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005109439_2_00510943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055E9909_2_0055E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00542A809_2_00542A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0051AB119_2_0051AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00538C209_2_00538C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00546CE09_2_00546CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00550E009_2_00550E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00554EA09_2_00554EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0054D0899_2_0054D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005210AC9_2_005210AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0052B1219_2_0052B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005511209_2_00551120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0053D1D09_2_0053D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005591C09_2_005591C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005451809_2_00545180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0053B1809_2_0053B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005572009_2_00557200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055D2C09_2_0055D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C53CF9_2_004C53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055F3C09_2_0055F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005253F39_2_005253F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004EB3E49_2_004EB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0054F3A09_2_0054F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055D4709_2_0055D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005374109_2_00537410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0054F4209_2_0054F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005554D09_2_005554D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0050D4969_2_0050D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005515509_2_00551550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C15729_2_004C1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0056351A9_2_0056351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0053F5009_2_0053F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005535309_2_00553530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055F5999_2_0055F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005196529_2_00519652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005636019_2_00563601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0054D6A09_2_0054D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004D97669_2_004D9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C97CA9_2_004C97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005577C09_2_005577C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004EF8E09_2_004EF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0053F9109_2_0053F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055D9E09_2_0055D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004DBAC99_2_004DBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00547AF09_2_00547AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00513AEF9_2_00513AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C1AA19_2_004C1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00547C509_2_00547C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004DBC929_2_004DBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0053FDF09_2_0053FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00545E809_2_00545E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00545F809_2_00545F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: String function: 6C769240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: String function: 6C806F10 appears 415 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0055FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 004C1E40 appears 84 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 004C28E3 appears 34 times
Source: cVyexkZjrG.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: cVyexkZjrG.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: cVyexkZjrG.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: cVyexkZjrG.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: cVyexkZjrG.exeStatic PE information: Number of sections : 11 > 10
Source: cVyexkZjrG.exe, 00000000.00000003.1653493826.000000007FE2A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameklO2bH6zRBJ6nSx.exe vs cVyexkZjrG.exe
Source: cVyexkZjrG.exe, 00000000.00000000.1651783186.00000000005E9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameklO2bH6zRBJ6nSx.exe vs cVyexkZjrG.exe
Source: cVyexkZjrG.exe, 00000000.00000003.1653138137.000000000359E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameklO2bH6zRBJ6nSx.exe vs cVyexkZjrG.exe
Source: cVyexkZjrG.exeBinary or memory string: OriginalFileNameklO2bH6zRBJ6nSx.exe vs cVyexkZjrG.exe
Source: cVyexkZjrG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.11.drBinary string: \Device\TfSysMon
Source: tProtect.dll.11.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal92.evad.winEXE@148/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C735D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C735D60
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_004C9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004D3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_004D3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_004C9252
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C735240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,5_2_6C735240
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpFile created: C:\Program Files (x86)\Windows NT\is-6IBH4.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6812:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3068:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Users\user\Desktop\cVyexkZjrG.exeFile created: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmpJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: cVyexkZjrG.exeVirustotal: Detection: 8%
Source: cVyexkZjrG.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\cVyexkZjrG.exeFile read: C:\Users\user\Desktop\cVyexkZjrG.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\cVyexkZjrG.exe "C:\Users\user\Desktop\cVyexkZjrG.exe"
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp "C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp" /SL5="$10466,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe"
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess created: C:\Users\user\Desktop\cVyexkZjrG.exe "C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp "C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp" /SL5="$1048C,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp "C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp" /SL5="$10466,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess created: C:\Users\user\Desktop\cVyexkZjrG.exe "C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp "C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp" /SL5="$1048C,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\cVyexkZjrG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: cVyexkZjrG.exeStatic file information: File size 7370578 > 1048576
Source: cVyexkZjrG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1709314834.0000000000490000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1709102654.0000000003190000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005457D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_005457D0
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: cVyexkZjrG.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343ad8
Source: cVyexkZjrG.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x343ad8
Source: update.vac.5.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: cVyexkZjrG.exeStatic PE information: real checksum: 0x0 should be: 0x71186a
Source: tProtect.dll.11.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x372ce7
Source: cVyexkZjrG.exeStatic PE information: section name: .didata
Source: cVyexkZjrG.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .8Tk
Source: cVyexkZjrG.tmp.4.drStatic PE information: section name: .didata
Source: 7zr.exe.5.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.5.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.5.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.5.drStatic PE information: section name: .8Tk
Source: update.vac.5.drStatic PE information: section name: .00cfg
Source: update.vac.5.drStatic PE information: section name: .voltbl
Source: update.vac.5.drStatic PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C7386EB push ecx; ret 5_2_6C7386FE
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5E0F00 push ss; retn 0001h5_2_6C5E0F0A
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C806F10 push eax; ret 5_2_6C806F2E
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C76B9F4 push 004AC35Ch; ret 5_2_6C76BA0E
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C807290 push eax; ret 5_2_6C8072BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C45F4 push 0056C35Ch; ret 9_2_004C460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055FB10 push eax; ret 9_2_0055FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0055FE90 push eax; ret 9_2_0055FEBE
Source: update.vac.1.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.5.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.5.drStatic PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\cVyexkZjrG.exeFile created: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\cVyexkZjrG.exeFile created: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\update.vacJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\cVyexkZjrG.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6483Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3167Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpWindow / User API: threadDelayed 624Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpWindow / User API: threadDelayed 670Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpWindow / User API: threadDelayed 570Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -11068046444225724s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C72AEC0 FindFirstFileA,FindClose,FindClose,5_2_6C72AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_004C6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_004C7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004C9C60 GetSystemInfo,9_2_004C9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: cVyexkZjrG.tmp, 00000001.00000002.1680726664.0000000000A91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cVyexkZjrG.tmp, 00000001.00000002.1680726664.0000000000A91000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C5B3886 NtSetInformationThread 00000000,00000011,00000000,000000005_2_6C5B3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C740181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C740181
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_005457D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_005457D0
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C749D66 mov eax, dword ptr fs:[00000030h]5_2_6C749D66
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C749D35 mov eax, dword ptr fs:[00000030h]5_2_6C749D35
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C73F17D mov eax, dword ptr fs:[00000030h]5_2_6C73F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C738CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6C738CBD
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C740181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C740181

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.11.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmpProcess created: C:\Users\user\Desktop\cVyexkZjrG.exe "C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmpCode function: 5_2_6C807700 cpuid 5_2_6C807700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_004CAB2A GetSystemTimeAsFileTime,9_2_004CAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00560090 GetVersion,9_2_00560090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580243 Sample: cVyexkZjrG.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 92 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 2 other signatures 2->96 10 cVyexkZjrG.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 32 other processes 2->17 process3 file4 86 C:\Users\user\AppData\...\cVyexkZjrG.tmp, PE32 10->86 dropped 19 cVyexkZjrG.tmp 3 5 10->19         started        23 sc.exe 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 28 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vac, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 cVyexkZjrG.exe 2 19->35         started        38 powershell.exe 23 19->38         started        51 2 other processes 23->51 41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        53 27 other processes 33->53 signatures7 process8 file9 76 C:\Users\user\AppData\...\cVyexkZjrG.tmp, PE32 35->76 dropped 55 cVyexkZjrG.tmp 4 16 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vac, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cVyexkZjrG.exe0%ReversingLabs
cVyexkZjrG.exe8%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc16%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc24%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\update.vac16%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\update.vac16%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUcVyexkZjrG.exefalse
    		high
    https://www.remobjects.com/pscVyexkZjrG.exe, 00000000.00000003.1653138137.0000000003480000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.exe, 00000000.00000003.1653493826.000000007FB2B000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000001.00000000.1655048386.0000000000C81000.00000020.00000001.01000000.00000004.sdmp, cVyexkZjrG.tmp, 00000005.00000000.1666577750.000000000115D000.00000020.00000001.01000000.00000008.sdmp, cVyexkZjrG.tmp.4.dr, cVyexkZjrG.tmp.0.drfalse
      		high
      https://www.innosetup.com/cVyexkZjrG.exe, 00000000.00000003.1653138137.0000000003480000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.exe, 00000000.00000003.1653493826.000000007FB2B000.00000004.00001000.00020000.00000000.sdmp, cVyexkZjrG.tmp, 00000001.00000000.1655048386.0000000000C81000.00000020.00000001.01000000.00000004.sdmp, cVyexkZjrG.tmp, 00000005.00000000.1666577750.000000000115D000.00000020.00000001.01000000.00000008.sdmp, cVyexkZjrG.tmp.4.dr, cVyexkZjrG.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580243
        Start date and time:2024-12-24 06:13:05 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 8m 33s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:112
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:cVyexkZjrG.exe
        renamed because original name is a hash value
        Original Sample Name:5A3C5AA184E4FDB2DE4530C18ADB9B12FFC1A101C86CDE8DE13CE49D7A7A2B44.exe
        Detection:MAL
        Classification:mal92.evad.winEXE@148/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 66
        • Number of non-executed functions: 76
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Excluded IPs from analysis (whitelisted): 4.245.163.56
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        00:13:56API Interceptor1x Sleep call for process: cVyexkZjrG.tmp modified
        00:13:58API Interceptor22x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b_2.0.8.exeGet hashmaliciousUnknownBrowse
                            C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b1.0.1.exeGet hashmaliciousUnknownBrowse
                                      #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse

                                        Created / dropped Files

                                        C:\Program Files (x86)\Windows NT\7zr.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):831200
                                        Entropy (8bit):6.671005303304742
                                        Encrypted:false
                                        SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                        MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                        SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                        SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                        SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Joe Sandbox View:
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                        C:\Program Files (x86)\Windows NT\file.bin (copy)

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1991296
                                        Entropy (8bit):7.999905359856555
                                        Encrypted:true
                                        SSDEEP:49152:lCxGJwolu3n/E3sZoXRUrXJ6di0cLXchbke51ul:lCJol2c3YeoXJ6dFcLsH1ul
                                        MD5:3A3CBB8509F127F9B690DB6D717EFE0B
                                        SHA1:75622A50925038691E199C7A7EE95AEF614E4256
                                        SHA-256:FDF35E1926622C8577D26B56F52DA00E5791F9098E0E9D45D55FAB26FABEEB60
                                        SHA-512:6C37A9339625CE7F92C1E2759E4A3F439C9A637781179F669591E5FF4BA5AE21FE6631ABD27D861BF6659044FD146F8FEC7CE0E936C2C9F222BB51DE8E943650
                                        Malicious:false
                                        Preview:.@S.....Hi>...................=..4.8.%W.$<..<.A!x.b...o..2.\....a..V.$3...NY..).......*..e.^S..o.v.}...q....[.....0<>YD....fI.A/.H...... .u..>.~.Pe.h.^.r..........I.0(....{u.Q....g...../(._g.Un....Wl5..WGM=?@...>..1H..<.....R.........e2.F .X....'..b.........H..Ws.....Q..../..t?b.O.'0+.I..k<..&Q.fT.Q\.......(.....Z.`.P.o>V ...1..R...?&Y...p......eX..."d.<T......-d..`...2..n.W.7....N4.........?..m:.J#o...*TJ5<oE..y..i.C....;x.(.a$.|I....m..4.d.J..c.y..O*....r..Q.M..O62,..i....e.......71.`..h.U..{.5...WcYf.>.3p..v......#+`..-....%....+..!CQ9.w..h.F.u..|V;...&{..qb.K.b.E..{..",1z..b.....w............v.4..#.M..(r......T.AB.).P,....eX.e..Q..d....v..U.....8.p..s..&....|.......i....H0.:+.6/.....$RTl...?....[KA.g..j.s..1`...{.5^h^r1.ba...$EZ5...zv:S#.J...2.....0.dh=...Y|=tI.`........d......?E...x.O..k@V.7q.Z....*3W.....g;'..VP.'..g.$..:j..(....x.l.....i...b0....zsIT.$.^A.B...(...<....q.y....p.?$.......r\.........(...Z...].g8....."H..i.i..

                                        C:\Program Files (x86)\Windows NT\hrsw.vbc

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3606528
                                        Entropy (8bit):7.005604268954487
                                        Encrypted:false
                                        SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                                        MD5:1047AF726D2E233D71934EF55E635C4A
                                        SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                                        SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                                        SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 16%
                                        • Antivirus: Virustotal, Detection: 24%, Browse
                                        Joe Sandbox View:
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
                                        • Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                                        C:\Program Files (x86)\Windows NT\is-6IBH4.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1991296
                                        Entropy (8bit):7.999905359856555
                                        Encrypted:true
                                        SSDEEP:49152:lCxGJwolu3n/E3sZoXRUrXJ6di0cLXchbke51ul:lCJol2c3YeoXJ6dFcLsH1ul
                                        MD5:3A3CBB8509F127F9B690DB6D717EFE0B
                                        SHA1:75622A50925038691E199C7A7EE95AEF614E4256
                                        SHA-256:FDF35E1926622C8577D26B56F52DA00E5791F9098E0E9D45D55FAB26FABEEB60
                                        SHA-512:6C37A9339625CE7F92C1E2759E4A3F439C9A637781179F669591E5FF4BA5AE21FE6631ABD27D861BF6659044FD146F8FEC7CE0E936C2C9F222BB51DE8E943650
                                        Malicious:false
                                        Preview:.@S.....Hi>...................=..4.8.%W.$<..<.A!x.b...o..2.\....a..V.$3...NY..).......*..e.^S..o.v.}...q....[.....0<>YD....fI.A/.H...... .u..>.~.Pe.h.^.r..........I.0(....{u.Q....g...../(._g.Un....Wl5..WGM=?@...>..1H..<.....R.........e2.F .X....'..b.........H..Ws.....Q..../..t?b.O.'0+.I..k<..&Q.fT.Q\.......(.....Z.`.P.o>V ...1..R...?&Y...p......eX..."d.<T......-d..`...2..n.W.7....N4.........?..m:.J#o...*TJ5<oE..y..i.C....;x.(.a$.|I....m..4.d.J..c.y..O*....r..Q.M..O62,..i....e.......71.`..h.U..{.5...WcYf.>.3p..v......#+`..-....%....+..!CQ9.w..h.F.u..|V;...&{..qb.K.b.E..{..",1z..b.....w............v.4..#.M..(r......T.AB.).P,....eX.e..Q..d....v..U.....8.p..s..&....|.......i....H0.:+.6/.....$RTl...?....[KA.g..j.s..1`...{.5^h^r1.ba...$EZ5...zv:S#.J...2.....0.dh=...Y|=tI.`........d......?E...x.O..k@V.7q.Z....*3W.....g;'..VP.'..g.$..:j..(....x.l.....i...b0....zsIT.$.^A.B...(...<....q.y....p.?$.......r\.........(...Z...].g8....."H..i.i..

                                        C:\Program Files (x86)\Windows NT\is-UAD1B.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1741188
                                        Entropy (8bit):7.9999001471583515
                                        Encrypted:true
                                        SSDEEP:49152:9aEhXvns3rFhdXUq1lMApKE59iYLfn1jtTO/W2Y7u4NC:bXvsbGqXMUKE59i2rSMu4NC
                                        MD5:094C0AE003065FFA5629135986100DE9
                                        SHA1:4E69EB9649E29070C6F9229663E20E6895EE3635
                                        SHA-256:4E32486F96073839E9E674B2C372B58BC4244EAF45994E50D46BF94A3BF6B5ED
                                        SHA-512:2C952EB9CFC46F4DF1A4F7E36B372C15B5361513805739E5424095C74AE6C4E1DFC0160505E1CBDFCDA73391E51ED40BC26E2BAE3E7C4CF87EA40DCF2C60F984
                                        Malicious:false
                                        Preview:.#........J..#..Q.JQ;...}....S..U?.S.Z.qcL.XY:#w..).R.I..Dx....r....2. .T.....iC.:.2..+^..t...tc.......8p&....|...y*c....M..q..e1Xk.4...x..F.n.F....e0....ow.......P.I@.r..'7..Fh%..E.b.....<...iw6Z.......YvY...~YT..`.2rgl.......2..7.,.guV..............c#2....W.Z.....E.$....j......m...d..#.Xq.-J..Q.v.{.q...J'G....#<(.cc=hA.2.6iy.-8N.....(.!..zd..YQ......j-^..e..*X!..5..f.M,..j..&G......q...*......3.#.xQ.3.(.{..2..n.....g../..T5q......f.........3My4......I.......2.......#k...yg.....).2y........:..)!9K..NB..?.&..b.k...N...xc.K..T....3.K.;.\...../(7.r....>.g.....w."...R..>.;8@:....0lK7>.&1p./.?b}.;._b..|[.TC...UO.W...br.Kp....6m.B...$NOL.......R7r..&/d..^.:......o.f...?@.@....t^e...@.4.I)...)-.y.K.Y....2..~...>..d.<.....n....\l|..H.d3t...L?"..l... ..>....wc....T.......L7.....j.......l...K......,yB ......N.......L_...Z.at..O</..X.~...E..y...q~G....1..=.rwR....Y.......(3m..>.R~F.U....J.w.....L.Jx|.b.....l.B.'A&....z.X..K.T.G...{9..i...e.

                                        C:\Program Files (x86)\Windows NT\locale.bin

                                        Download File
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996643243558829
                                        Encrypted:true
                                        SSDEEP:1536:OB96vjwLrnk4oI1zr06mcoXXcLrmSYmmlTaZAB2awGqw:cUb4rkk5I6YcBYmmzBfh
                                        MD5:499F183D11BB9D100ECBF7FD156C56AE
                                        SHA1:A49086BAB8E06B37BB2729663F8D5BB2C4D89A9B
                                        SHA-256:3025E8E51DBA5D77D4DBBE7A1EDBFDE9A19C60306B712895E7F18963982CDB43
                                        SHA-512:7E2F46DE855C67CAA606DB1000F0FEA4EEAE55620E34B48BA9076245A686496648F8279C511412C70E08E9CC2C3AD3F8B5853F2EDFA897647993438FA1E11056
                                        Malicious:false
                                        Preview:.@S......6.l ..............Q*..}."...|..P{....;X..gi......k..l...MPD.D..=...T..w..6vH.8....7.^.......d.?.D.(.).a.-U...&..w.$....o..'.D:^.Q9....t.t.v=..[.PO..'A..0zW...n%.Aye{...tUY.....5.`-.)......\.h.1.^...:...$....N...O.ot.s.._.bPi.w...qZ.q....t|^<.....%..wR.....y.........)ad5.sG.?.%.9..Cg..xLx...d..;.6.o...w.c......@L.].6..I....;..4.8(ZM.5..c.u.)`d...?^F.1.....(Hj.IM...J...~...."......B09.2@..^._.k<.S.V..Sx'..,..:.O.`.].+99..R..`......by.\.e...q..<..ScF.a.q.7..X%...U.............b.F?...........e"{......^...c......Z.....r.zO@~. .!Rg.[@...%.*&...s.+.b..{..I.k,n......r....H...]D..[..n....'...e.=.o....`+..m3...*trP.2..Q8e0.{...V...!?WZ.2.oU.q....9..;......>@...$".^..^...<.0EU..H...;E.CBJ]c~A..{.C..~R|27...{.?LW..q:...=....SU%r.`}.u..........RV_.B,.L..[....h.d..:..h._6...d.t.U<.e..S...^.A.Y.`..{..DY..ZE.n +m*e.M..m<.O1r.-.sd.".....*=5v./v.!...]...P5$R.r....[... .W...U ./.,{r.5h.^...o.>.M.E4...D...!s.N...$..<..N..v.!......6..Cq..07Q

                                        C:\Program Files (x86)\Windows NT\locale.dat

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996643243558827
                                        Encrypted:true
                                        SSDEEP:768:dOgF0xeYTrPzC17HiuO90X3o5NyGBZvDvTCDRA63/UYK6LR79DUrFQ+W3IOpmsCA:dOgATuHCNyGBoDmA/iaJUZilTeZ0cM
                                        MD5:9879CBB6CD59F92E48BCABAABEA1F242
                                        SHA1:236E0679940B8328256717B86B499265A30B6F14
                                        SHA-256:F55074BCCC64EA17CDF518D06B57BBF5E67D4A12632B91F9798E5DD4084AFFC4
                                        SHA-512:5DC8902DAB75025AFB57F322BCD142E4989C61B3C07A60689C7616E84F0237A825975EA4D3E8C8A3DD939363A9B4E5DB30368CC975DBE39C1888C66ED57DBC15
                                        Malicious:false
                                        Preview:7z..'...ho..........2..............w.b.sz..(J.@...&...b+6kPx..3.=d....k. 5...C.'JE..7..f.21.2i..C.N.n|.....{.Z...(..j}...t...M.m.A..`..B..j-.....Q....5..8&..6..2%...Q....*.....)`P6.J.t....!/.a:R>........c2.=V...@o..]A.g..m...)...%......}....aY......X<Y.KZ..M..0v...u.uoY.O3....N.2.R.>;.......2/).mY....x;&~.5t.3..j.".."E.\.Cp.,.] .|?.i...X.Wm.......2Y!I......n."..]..Io....._.W/...Z.W.gi.....9.9l.(D..U....~v&f...e%A.)\t.e...o.(....1.y1...[)}(...9.+_.u ....V.UO......k.~...cAG..5nw.qk#)....I..^G..v..P1Jv.w.'RX..mh(.^.a..f.>..X.S.W....5'2......D.j...M.. h...L..VQ/.6r....:.r......bViF.D$....'...p...x...O<....)............}S:.....Qr.......MG,...|...A.......3q6.....{......-.D...k.F......y.....r3W..........;.9......zFI.....A..Z.z._T.4...]..*.LJ}a.>.B.U...!....FC.4=...._.d,.,U..0...cp.+.q..5....zxi.c..M.m~.qg...E.X................|..[...~ .......o.=;......._.K.IFn+..f......g.......i.z..#\...H...Z..{6$.X...E..t.)x#._,.$.|Gw.R.e.. ...i...

                                        C:\Program Files (x86)\Windows NT\locale2.bin

                                        Download File
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996966859255975
                                        Encrypted:true
                                        SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                        MD5:CEA69F993E1CE0FB945A98BF37A66546
                                        SHA1:7114365265F041DA904574D1F5876544506F89BA
                                        SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                        SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                        Malicious:false
                                        Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                        C:\Program Files (x86)\Windows NT\locale2.dat

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):56546
                                        Entropy (8bit):7.996966859255979
                                        Encrypted:true
                                        SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                        MD5:4CB8B7E557C80FC7B014133AB834A042
                                        SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                        SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                        SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                        Malicious:false
                                        Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                        C:\Program Files (x86)\Windows NT\locale3.bin

                                        Download File
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):31890
                                        Entropy (8bit):7.99402458740637
                                        Encrypted:true
                                        SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                        MD5:8622FC7228777F64A47BD6C61478ADD9
                                        SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                        SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                        SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                        Malicious:false
                                        Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                        C:\Program Files (x86)\Windows NT\locale3.dat

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):31890
                                        Entropy (8bit):7.99402458740637
                                        Encrypted:true
                                        SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                        MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                        SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                        SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                        SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                        Malicious:false
                                        Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                        C:\Program Files (x86)\Windows NT\locale4.bin

                                        Download File
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):74960
                                        Entropy (8bit):7.99759370165655
                                        Encrypted:true
                                        SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                        MD5:950338D50B95A25F494EE74E97B7B7A9
                                        SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                        SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                        SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                        Malicious:false
                                        Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                        C:\Program Files (x86)\Windows NT\locale4.dat

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):74960
                                        Entropy (8bit):7.997593701656546
                                        Encrypted:true
                                        SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                        MD5:059BA7C31F3E227356CA5F29E4AA2508
                                        SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                        SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                        SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                        Malicious:false
                                        Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                        C:\Program Files (x86)\Windows NT\locale7.bin

                                        Download File
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):29730
                                        Entropy (8bit):7.994290657653607
                                        Encrypted:true
                                        SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                        MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                        SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                        SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                        SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                        Malicious:false
                                        Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                        C:\Program Files (x86)\Windows NT\locale7.dat

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):29730
                                        Entropy (8bit):7.994290657653608
                                        Encrypted:true
                                        SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                        MD5:A9C8A3E00692F79E1BA9693003F85D18
                                        SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                        SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                        SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                        Malicious:false
                                        Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                        C:\Program Files (x86)\Windows NT\res.dat

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:7-zip archive data, version 0.4
                                        Category:dropped
                                        Size (bytes):1991296
                                        Entropy (8bit):7.999905359856561
                                        Encrypted:true
                                        SSDEEP:49152:ynmSM3y/RF7EiDKCrZrs9JiM6VCbNbaWWdQsR1moZ3UXCQw:ymRi51EiXtrMJiNiOWWjbbQw
                                        MD5:D16EBCD4863229D2C0541C8BF7D701D0
                                        SHA1:BB5516ABE88F0236482026FD4C116405CACB1E06
                                        SHA-256:2D6C81ED60C4F07B8928FAE1B30A299D9EBA2D0924D06CC0EF6DAF0177549E84
                                        SHA-512:959B5906B2EC7D01ACF1224B11C45724FB17A8763FEB6A745E9D8FC04FEBBFBB87AE8E1C3D2E892C9DDFB7160E9D1DC423EDEBA88E19F3A162B0EF5F79C4A78E
                                        Malicious:false
                                        Preview:7z..'...9... b......@.........v'........c...Z..M..6._.}..h.J.pPD|..-............S^@..0%. ..S;U.....w'|../....G.................]0.e...I.!:...l...+.D..V.....L(>.;..&.8+..w.2(VCI.$..]I..D......N....$H.....Z.+.7=.7..VhdZ7.Lg....bP&...w..i..Yc!..O...h.._.li..Y...HcRF...5.4B.M.........B.&)..F..|.....lm.SF.$s.B]F.....o...f.$F.v..E`.....E..I......o#b...L..E@.nvq.%=...EG...2.%T.+[.Y0.z.."..$..@.....J......c.......k...o.}..`d.1e\......O..Py...%..{x..$.....x..z]@.3...,....K..)1f.Z.....=\Y..P.n;.9.vL.+.:D>6....2.J.6..3GL.X.w..D$..h\.q...[_a ./.M...0.....E..*C....r...%.#y.$.x. f....2gG.MzXsC.k0..{(.(t......f..%F.4....g^.@.1.q........"....K../..4....0b.Qm.W.X.|.+.sW.C..Q.9l(..r3.v..a ......A..t..I..AThU...&7..S..D.....4Q.......]..:.....O...82.....y.......%#...83:.W...{)........1GO.qb\...C..XY}.f..O.q...{.....R.L.@r.....k/...8%..8.q2H....P.GY..X....P..X?.&.2|....H..4]......_..a.x6Z-..6....j&...P..h.V..VebV.5Aa..T1.F.>e4(*...`|..y<......c..;0...LM

                                        C:\Program Files (x86)\Windows NT\tProtect.dll

                                        Download File
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:PE32+ executable (native) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):63640
                                        Entropy (8bit):6.482810107683822
                                        Encrypted:false
                                        SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                        MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                        SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                        SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                        SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 9%
                                        • Antivirus: Virustotal, Detection: 6%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                        C:\Program Files (x86)\Windows NT\task.xml

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):4096
                                        Entropy (8bit):3.344834847024567
                                        Encrypted:false
                                        SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                                        MD5:7F252B19B6E96247184F55570325E9FA
                                        SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                                        SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                                        SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                                        Malicious:false
                                        Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai

                                        C:\Program Files (x86)\Windows NT\trash

                                        Download File
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1741188
                                        Entropy (8bit):7.9999001471583515
                                        Encrypted:true
                                        SSDEEP:49152:9aEhXvns3rFhdXUq1lMApKE59iYLfn1jtTO/W2Y7u4NC:bXvsbGqXMUKE59i2rSMu4NC
                                        MD5:094C0AE003065FFA5629135986100DE9
                                        SHA1:4E69EB9649E29070C6F9229663E20E6895EE3635
                                        SHA-256:4E32486F96073839E9E674B2C372B58BC4244EAF45994E50D46BF94A3BF6B5ED
                                        SHA-512:2C952EB9CFC46F4DF1A4F7E36B372C15B5361513805739E5424095C74AE6C4E1DFC0160505E1CBDFCDA73391E51ED40BC26E2BAE3E7C4CF87EA40DCF2C60F984
                                        Malicious:false
                                        Preview:.#........J..#..Q.JQ;...}....S..U?.S.Z.qcL.XY:#w..).R.I..Dx....r....2. .T.....iC.:.2..+^..t...tc.......8p&....|...y*c....M..q..e1Xk.4...x..F.n.F....e0....ow.......P.I@.r..'7..Fh%..E.b.....<...iw6Z.......YvY...~YT..`.2rgl.......2..7.,.guV..............c#2....W.Z.....E.$....j......m...d..#.Xq.-J..Q.v.{.q...J'G....#<(.cc=hA.2.6iy.-8N.....(.!..zd..YQ......j-^..e..*X!..5..f.M,..j..&G......q...*......3.#.xQ.3.(.{..2..n.....g../..T5q......f.........3My4......I.......2.......#k...yg.....).2y........:..)!9K..NB..?.&..b.k...N...xc.K..T....3.K.;.\...../(7.r....>.g.....w."...R..>.;8@:....0lK7>.&1p./.?b}.;._b..|[.TC...UO.W...br.Kp....6m.B...$NOL.......R7r..&/d..^.:......o.f...?@.@....t^e...@.4.I)...)-.y.K.Y....2..~...>..d.<.....n....\l|..H.d3t...L?"..l... ..>....wc....T.......L7.....j.......l...K......,yB ......N.......L_...Z.at..O</..X.~...E..y...q~G....1..=.rwR....Y.......(3m..>.R~F.U....J.w.....L.Jx|.b.....l.B.'A&....z.X..K.T.G...{9..i...e.

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):1.1940658735648508
                                        Encrypted:false
                                        SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                                        MD5:DA1F22117B9766A1F0220503765A5BA5
                                        SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                                        SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                                        SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                                        Malicious:false
                                        Preview:@...e.................................R..............@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cogqzh1f.is0.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvbt1nlv.kko.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w3pzxurn.fw1.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvfl3yf3.j4x.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\_isetup\_setup64.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.720366600008286
                                        Encrypted:false
                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        • Antivirus: Virustotal, Detection: 0%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\is-AS79P.tmp\update.vac

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3606528
                                        Entropy (8bit):7.005604268954487
                                        Encrypted:false
                                        SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                                        MD5:1047AF726D2E233D71934EF55E635C4A
                                        SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                                        SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                                        SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 16%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\_isetup\_setup64.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                        Category:dropped
                                        Size (bytes):6144
                                        Entropy (8bit):4.720366600008286
                                        Encrypted:false
                                        SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                        MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                        SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                        SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                        SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                        Malicious:false
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 0%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\is-BKT74.tmp\update.vac

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3606528
                                        Entropy (8bit):7.005604268954487
                                        Encrypted:false
                                        SSDEEP:98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
                                        MD5:1047AF726D2E233D71934EF55E635C4A
                                        SHA1:AB12E827E4E57DEA2E885733F0C48E9A83756678
                                        SHA-256:42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
                                        SHA-512:8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 16%
                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\cVyexkZjrG.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3366912
                                        Entropy (8bit):6.530564756542746
                                        Encrypted:false
                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                        MD5:0195248B8EBF37D072592944E7488FC4
                                        SHA1:9B440D54D0F9033ED9B4F153521EBE557B09E9A2
                                        SHA-256:CBD84C67DBC982E19F49D77A9FB61D81ED3E3873A858BA88C8916D9513602483
                                        SHA-512:5DD4297E8A7473B176108737EAF89F4514F15FFBDC57DBA33748012DD07971CBAEC9EC53C036A2681999A262FB43E8847CB5BF0DB5825B9FB4FB326F4ED7D596
                                        Malicious:true
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                        C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\cVyexkZjrG.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):3366912
                                        Entropy (8bit):6.530564756542746
                                        Encrypted:false
                                        SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                        MD5:0195248B8EBF37D072592944E7488FC4
                                        SHA1:9B440D54D0F9033ED9B4F153521EBE557B09E9A2
                                        SHA-256:CBD84C67DBC982E19F49D77A9FB61D81ED3E3873A858BA88C8916D9513602483
                                        SHA-512:5DD4297E8A7473B176108737EAF89F4514F15FFBDC57DBA33748012DD07971CBAEC9EC53C036A2681999A262FB43E8847CB5BF0DB5825B9FB4FB326F4ED7D596
                                        Malicious:true
                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                        \Device\ConDrv

                                        Download File
                                        Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                        File Type:ASCII text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):406
                                        Entropy (8bit):5.117520345541057
                                        Encrypted:false
                                        SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                        MD5:9200058492BCA8F9D88B4877F842C148
                                        SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                        SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                        SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                        Malicious:false
                                        Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.947667484457675
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 98.04%
                                        • Inno Setup installer (109748/4) 1.08%
                                        • InstallShield setup (43055/19) 0.42%
                                        • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                        File name:cVyexkZjrG.exe
                                        File size:7'370'578 bytes
                                        MD5:4e1927f742599f95f0d9450b4b8c2c80
                                        SHA1:4bd20ceb48adb224d11eae63ce6f27cb974e321b
                                        SHA256:5a3c5aa184e4fdb2de4530c18adb9b12ffc1a101c86cde8de13ce49d7a7a2b44
                                        SHA512:bcd48db8ad3717543fd8845af2bca36bfdc56e0f8a61a6cdfcd391120479451c6f13ddc3035f9117c804fece98291d34d332f26aad810b9c6ed5fa766e96f9b6
                                        SSDEEP:196608:lzGMRNXJundeS47FJ9qQNWxCfzLZghnolTi:l7RhJ+deT7FL7aWLChnolm
                                        TLSH:17762223F2CBD03DE05E4B3B19B2A15490FB6A21A923AD5796ECB4ACCF351501D3E647
                                        File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                        File Icon

                                        Icon Hash:0c0c2d33ceec80aa

                                        Static PE Info

                                        General

                                        Entrypoint:0x4a83bc
                                        Entrypoint Section:.itext
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:6
                                        OS Version Minor:1
                                        File Version Major:6
                                        File Version Minor:1
                                        Subsystem Version Major:6
                                        Subsystem Version Minor:1
                                        Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                        Entrypoint Preview

                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        add esp, FFFFFFA4h
                                        push ebx
                                        push esi
                                        push edi
                                        xor eax, eax
                                        mov dword ptr [ebp-3Ch], eax
                                        mov dword ptr [ebp-40h], eax
                                        mov dword ptr [ebp-5Ch], eax
                                        mov dword ptr [ebp-30h], eax
                                        mov dword ptr [ebp-38h], eax
                                        mov dword ptr [ebp-34h], eax
                                        mov dword ptr [ebp-2Ch], eax
                                        mov dword ptr [ebp-28h], eax
                                        mov dword ptr [ebp-14h], eax
                                        mov eax, 004A2EBCh
                                        call 00007FBA90A6C025h
                                        xor eax, eax
                                        push ebp
                                        push 004A8AC1h
                                        push dword ptr fs:[eax]
                                        mov dword ptr fs:[eax], esp
                                        xor edx, edx
                                        push ebp
                                        push 004A8A7Bh
                                        push dword ptr fs:[edx]
                                        mov dword ptr fs:[edx], esp
                                        mov eax, dword ptr [004B0634h]
                                        call 00007FBA90AFD9ABh
                                        call 00007FBA90AFD4FEh
                                        lea edx, dword ptr [ebp-14h]
                                        xor eax, eax
                                        call 00007FBA90AF81D8h
                                        mov edx, dword ptr [ebp-14h]
                                        mov eax, 004B41F4h
                                        call 00007FBA90A660D3h
                                        push 00000002h
                                        push 00000000h
                                        push 00000001h
                                        mov ecx, dword ptr [004B41F4h]
                                        mov dl, 01h
                                        mov eax, dword ptr [0049CD14h]
                                        call 00007FBA90AF9503h
                                        mov dword ptr [004B41F8h], eax
                                        xor edx, edx
                                        push ebp
                                        push 004A8A27h
                                        push dword ptr fs:[edx]
                                        mov dword ptr fs:[edx], esp
                                        call 00007FBA90AFDA33h
                                        mov dword ptr [004B4200h], eax
                                        mov eax, dword ptr [004B4200h]
                                        cmp dword ptr [eax+0Ch], 01h
                                        jne 00007FBA90B0471Ah
                                        mov eax, dword ptr [004B4200h]
                                        mov edx, 00000028h
                                        call 00007FBA90AF9DF8h
                                        mov edx, dword ptr [004B4200h]

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        .rsrc0xcb0000x110000x11000c7a4821d78da65e97b874b4ac988cfcdFalse0.18775850183823528data3.7235953212868016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                        RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                        RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                        RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                        RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                        RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                        RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                        RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                        RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                        RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                        RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                        RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                        RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                        RT_STRING0xd8e000x3f8data0.3198818897637795
                                        RT_STRING0xd91f80x2dcdata0.36475409836065575
                                        RT_STRING0xd94d40x430data0.40578358208955223
                                        RT_STRING0xd99040x44cdata0.38636363636363635
                                        RT_STRING0xd9d500x2d4data0.39226519337016574
                                        RT_STRING0xda0240xb8data0.6467391304347826
                                        RT_STRING0xda0dc0x9cdata0.6410256410256411
                                        RT_STRING0xda1780x374data0.4230769230769231
                                        RT_STRING0xda4ec0x398data0.3358695652173913
                                        RT_STRING0xda8840x368data0.3795871559633027
                                        RT_STRING0xdabec0x2a4data0.4275147928994083
                                        RT_RCDATA0xdae900x10data1.5
                                        RT_RCDATA0xdaea00x310data0.6173469387755102
                                        RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                                        RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                        RT_VERSION0xdb2980x584dataEnglishUnited States0.2769121813031161
                                        RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                        Imports

                                        DLLImport
                                        kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                        comctl32.dllInitCommonControls
                                        user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                        oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                        advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                        Exports

                                        NameOrdinalAddress
                                        __dbk_fcall_wrapper20x40fc10
                                        dbkFCallWrapperAddr10x4b063c

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        No network behavior found

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:00:13:55
                                        Start date:24/12/2024
                                        Path:C:\Users\user\Desktop\cVyexkZjrG.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\cVyexkZjrG.exe"
                                        Imagebase:0x530000
                                        File size:7'370'578 bytes
                                        MD5 hash:4E1927F742599F95F0D9450B4B8C2C80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:00:13:55
                                        Start date:24/12/2024
                                        Path:C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-F0U0E.tmp\cVyexkZjrG.tmp" /SL5="$10466,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe"
                                        Imagebase:0xc80000
                                        File size:3'366'912 bytes
                                        MD5 hash:0195248B8EBF37D072592944E7488FC4
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:00:13:56
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:00:13:56
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:00:13:56
                                        Start date:24/12/2024
                                        Path:C:\Users\user\Desktop\cVyexkZjrG.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT
                                        Imagebase:0x530000
                                        File size:7'370'578 bytes
                                        MD5 hash:4E1927F742599F95F0D9450B4B8C2C80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:5
                                        Start time:00:13:56
                                        Start date:24/12/2024
                                        Path:C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\Temp\is-SBN02.tmp\cVyexkZjrG.tmp" /SL5="$1048C,6416153,845824,C:\Users\user\Desktop\cVyexkZjrG.exe" /VERYSILENT
                                        Imagebase:0xee0000
                                        File size:3'366'912 bytes
                                        MD5 hash:0195248B8EBF37D072592944E7488FC4
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:00:13:59
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:00:13:59
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:00:13:59
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x830000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:00:13:59
                                        Start date:24/12/2024
                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                        Wow64 process (32bit):true
                                        Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                        Imagebase:0x4c0000
                                        File size:831'200 bytes
                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 0%, ReversingLabs
                                        • Detection: 0%, Virustotal, Browse
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:00:13:59
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:00:14:00
                                        Start date:24/12/2024
                                        Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                        Wow64 process (32bit):true
                                        Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                        Imagebase:0x4c0000
                                        File size:831'200 bytes
                                        MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:00:14:00
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff693ab0000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:15
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:16
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:17
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:18
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:19
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:20
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:21
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:22
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:23
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:24
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:25
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:26
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:27
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:28
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:29
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:30
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:31
                                        Start time:00:14:01
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:32
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:33
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:34
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:35
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:36
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:37
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:38
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:39
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:40
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:41
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:42
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:43
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:44
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:45
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:46
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:47
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:48
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:49
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:50
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:51
                                        Start time:00:14:02
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:52
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:53
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:54
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:55
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:56
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:57
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:58
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:59
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:60
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:61
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:62
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:63
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:64
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:65
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:66
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:67
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:68
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:69
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:70
                                        Start time:00:14:03
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:71
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:72
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:73
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:74
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:75
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:76
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:77
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:78
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:79
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:80
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:81
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:82
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:83
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:84
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:85
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:86
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:87
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:88
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:89
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:90
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:91
                                        Start time:00:14:04
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:92
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:93
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:94
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:95
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:96
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:97
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:98
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:99
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:100
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:101
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:102
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:103
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:104
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:105
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:106
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:107
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:108
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\sc.exe
                                        Wow64 process (32bit):false
                                        Commandline:sc start CleverSoar
                                        Imagebase:0x7ff79cd60000
                                        File size:72'192 bytes
                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:109
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:110
                                        Start time:00:14:05
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd /c start sc start CleverSoar
                                        Imagebase:0x7ff7ce840000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:265
                                        Start time:00:14:12
                                        Start date:24/12/2024
                                        Path:C:\Windows\System32\Conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:2.4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:15.4%
                                          Total number of Nodes:825
                                          Total number of Limit Nodes:9
                                          execution_graph 66056 6c74cad3 66057 6c74cae5 __dosmaperr 66056->66057 66058 6c74cafd 66056->66058 66058->66057 66060 6c74cb48 __dosmaperr 66058->66060 66061 6c74cb77 66058->66061 66103 6c740120 18 API calls __wsopen_s 66060->66103 66062 6c74cb90 66061->66062 66063 6c74cbe7 __wsopen_s 66061->66063 66064 6c74cbab __dosmaperr 66061->66064 66062->66064 66084 6c74cb95 66062->66084 66097 6c7447bb HeapFree GetLastError __dosmaperr 66063->66097 66096 6c740120 18 API calls __wsopen_s 66064->66096 66067 6c74cd3e 66070 6c74cdb4 66067->66070 66073 6c74cd57 GetConsoleMode 66067->66073 66068 6c74cc07 66098 6c7447bb HeapFree GetLastError __dosmaperr 66068->66098 66072 6c74cdb8 ReadFile 66070->66072 66075 6c74cdd2 66072->66075 66076 6c74ce2c GetLastError 66072->66076 66073->66070 66077 6c74cd68 66073->66077 66074 6c74cc0e 66080 6c74cbc2 __dosmaperr __wsopen_s 66074->66080 66099 6c74ac69 20 API calls __wsopen_s 66074->66099 66075->66076 66082 6c74cda9 66075->66082 66076->66080 66077->66072 66078 6c74cd6e ReadConsoleW 66077->66078 66078->66082 66083 6c74cd8a GetLastError 66078->66083 66100 6c7447bb HeapFree GetLastError __dosmaperr 66080->66100 66082->66080 66085 6c74cdf7 66082->66085 66086 6c74ce0e 66082->66086 66083->66080 66091 6c7519e5 66084->66091 66101 6c74cefe 23 API calls 3 library calls 66085->66101 66086->66080 66087 6c74ce25 66086->66087 66102 6c74d1b6 21 API calls __wsopen_s 66087->66102 66090 6c74ce2a 66090->66080 66093 6c7519ff 66091->66093 66094 6c7519f2 66091->66094 66092 6c751a0b 66092->66067 66093->66092 66104 6c740120 18 API calls __wsopen_s 66093->66104 66094->66067 66096->66080 66097->66068 66098->66074 66099->66084 66100->66057 66101->66080 66102->66090 66103->66057 66104->66094 66105 6c5b4b53 66263 6c736a43 66105->66263 66107 6c5b4b5c _Yarn 66277 6c72aec0 66107->66277 66109 6c5d639e 66375 6c740130 18 API calls 2 library calls 66109->66375 66111 6c5b5164 CreateFileA CloseHandle 66117 6c5b51ec 66111->66117 66112 6c5b4cff 66113 6c5b4bae std::ios_base::_Ios_base_dtor 66113->66109 66113->66111 66113->66112 66114 6c5c245a _Yarn _strlen 66113->66114 66114->66109 66115 6c72aec0 2 API calls 66114->66115 66134 6c5c2a83 std::ios_base::_Ios_base_dtor 66115->66134 66283 6c735120 OpenSCManagerA 66117->66283 66119 6c5bfc00 66368 6c735240 CreateToolhelp32Snapshot 66119->66368 66122 6c736a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66126 6c5b5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66122->66126 66124 6c5c37d0 Sleep 66169 6c5c37e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66124->66169 66125 6c72aec0 2 API calls 66125->66126 66126->66109 66126->66119 66126->66122 66126->66125 66135 6c5d6ba0 104 API calls 66126->66135 66136 6c5d6e60 32 API calls 66126->66136 66150 6c5b6722 66126->66150 66151 6c5b6162 66126->66151 66325 6c5d7090 66126->66325 66338 6c5fe010 66126->66338 66127 6c5bffe3 66129 6c735240 4 API calls 66127->66129 66133 6c5c0abc 66127->66133 66128 6c5d63b2 66376 6c5b15e0 18 API calls std::ios_base::_Ios_base_dtor 66128->66376 66148 6c5c053a 66129->66148 66131 6c735240 4 API calls 66152 6c5c12e2 66131->66152 66132 6c5d64f8 66133->66114 66133->66131 66134->66109 66287 6c720390 66134->66287 66135->66126 66136->66126 66139 6c735240 4 API calls 66139->66133 66140 6c5c211c 66140->66114 66143 6c5c241a 66140->66143 66141 6c735240 4 API calls 66159 6c5c1dd9 66141->66159 66145 6c720390 11 API calls 66143->66145 66144 6c72aec0 2 API calls 66144->66169 66146 6c5c244d 66145->66146 66374 6c735d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66146->66374 66148->66133 66148->66139 66149 6c5c2452 Sleep 66149->66114 66344 6c731880 25 API calls 4 library calls 66150->66344 66152->66140 66152->66141 66162 6c5c16ac 66152->66162 66153 6c5b740b 66345 6c734ff0 CreateProcessA 66153->66345 66155 6c735240 4 API calls 66155->66140 66158 6c5d7090 77 API calls 66158->66169 66159->66140 66159->66155 66160 6c5fe010 67 API calls 66160->66169 66161 6c5b775a _strlen 66161->66109 66163 6c5b7ba9 66161->66163 66164 6c5b7b92 66161->66164 66167 6c5b7b43 _Yarn 66161->66167 66166 6c736a43 std::_Facet_Register 4 API calls 66163->66166 66165 6c736a43 std::_Facet_Register 4 API calls 66164->66165 66165->66167 66166->66167 66168 6c72aec0 2 API calls 66167->66168 66178 6c5b7be7 std::ios_base::_Ios_base_dtor 66168->66178 66169->66109 66169->66144 66169->66158 66169->66160 66296 6c5d6ba0 66169->66296 66315 6c5d6e60 66169->66315 66170 6c734ff0 4 API calls 66181 6c5b8a07 66170->66181 66171 6c5b9d68 66173 6c736a43 std::_Facet_Register 4 API calls 66171->66173 66172 6c5b9d7f 66174 6c736a43 std::_Facet_Register 4 API calls 66172->66174 66175 6c5b9d18 _Yarn 66173->66175 66174->66175 66176 6c72aec0 2 API calls 66175->66176 66186 6c5b9dbd std::ios_base::_Ios_base_dtor 66176->66186 66177 6c5b962c _strlen 66177->66109 66177->66171 66177->66172 66177->66175 66178->66109 66178->66170 66178->66177 66179 6c5b8387 66178->66179 66180 6c734ff0 4 API calls 66189 6c5b9120 66180->66189 66181->66180 66182 6c734ff0 4 API calls 66199 6c5ba215 _strlen 66182->66199 66183 6c734ff0 4 API calls 66185 6c5b9624 66183->66185 66184 6c736a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66190 6c5be8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66184->66190 66349 6c735d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66185->66349 66186->66109 66186->66182 66186->66190 66188 6c72aec0 2 API calls 66188->66190 66189->66183 66190->66109 66190->66184 66190->66188 66191 6c5bed02 Sleep 66190->66191 66192 6c5bf7b1 66190->66192 66211 6c5be8c1 66191->66211 66367 6c735d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66192->66367 66194 6c5be8dd GetCurrentProcess TerminateProcess 66194->66190 66195 6c5ba9bb 66198 6c736a43 std::_Facet_Register 4 API calls 66195->66198 66196 6c5ba9a4 66197 6c736a43 std::_Facet_Register 4 API calls 66196->66197 66204 6c5ba953 _Yarn _strlen 66197->66204 66198->66204 66199->66109 66199->66195 66199->66196 66199->66204 66200 6c734ff0 4 API calls 66200->66211 66201 6c5bfbb8 66202 6c5bfbe8 ExitWindowsEx Sleep 66201->66202 66202->66119 66203 6c5bf7c0 66203->66201 66204->66128 66205 6c5bb009 66204->66205 66206 6c5baff0 66204->66206 66209 6c5bafa0 _Yarn 66204->66209 66208 6c736a43 std::_Facet_Register 4 API calls 66205->66208 66207 6c736a43 std::_Facet_Register 4 API calls 66206->66207 66207->66209 66208->66209 66350 6c735960 66209->66350 66211->66190 66211->66194 66211->66200 66212 6c5bb42c 66215 6c736a43 std::_Facet_Register 4 API calls 66212->66215 66213 6c5bb443 66216 6c736a43 std::_Facet_Register 4 API calls 66213->66216 66214 6c5bb059 std::ios_base::_Ios_base_dtor _strlen 66214->66109 66214->66212 66214->66213 66217 6c5bb3da _Yarn _strlen 66214->66217 66215->66217 66216->66217 66217->66128 66218 6c5bb79e 66217->66218 66219 6c5bb7b7 66217->66219 66222 6c5bb751 _Yarn 66217->66222 66220 6c736a43 std::_Facet_Register 4 API calls 66218->66220 66221 6c736a43 std::_Facet_Register 4 API calls 66219->66221 66220->66222 66221->66222 66223 6c735960 104 API calls 66222->66223 66224 6c5bb804 std::ios_base::_Ios_base_dtor _strlen 66223->66224 66224->66109 66225 6c5bbc0f 66224->66225 66226 6c5bbc26 66224->66226 66229 6c5bbbbd _Yarn _strlen 66224->66229 66227 6c736a43 std::_Facet_Register 4 API calls 66225->66227 66228 6c736a43 std::_Facet_Register 4 API calls 66226->66228 66227->66229 66228->66229 66229->66128 66230 6c5bc08e 66229->66230 66231 6c5bc075 66229->66231 66234 6c5bc028 _Yarn 66229->66234 66233 6c736a43 std::_Facet_Register 4 API calls 66230->66233 66232 6c736a43 std::_Facet_Register 4 API calls 66231->66232 66232->66234 66233->66234 66235 6c735960 104 API calls 66234->66235 66240 6c5bc0db std::ios_base::_Ios_base_dtor _strlen 66235->66240 66236 6c5bc7bc 66239 6c736a43 std::_Facet_Register 4 API calls 66236->66239 66237 6c5bc7a5 66238 6c736a43 std::_Facet_Register 4 API calls 66237->66238 66247 6c5bc753 _Yarn _strlen 66238->66247 66239->66247 66240->66109 66240->66236 66240->66237 66240->66247 66241 6c5bd3ed 66243 6c736a43 std::_Facet_Register 4 API calls 66241->66243 66242 6c5bd406 66244 6c736a43 std::_Facet_Register 4 API calls 66242->66244 66245 6c5bd39a _Yarn 66243->66245 66244->66245 66246 6c735960 104 API calls 66245->66246 66248 6c5bd458 std::ios_base::_Ios_base_dtor _strlen 66246->66248 66247->66128 66247->66241 66247->66242 66247->66245 66253 6c5bcb2f 66247->66253 66248->66109 66249 6c5bd8bb 66248->66249 66250 6c5bd8a4 66248->66250 66254 6c5bd852 _Yarn _strlen 66248->66254 66252 6c736a43 std::_Facet_Register 4 API calls 66249->66252 66251 6c736a43 std::_Facet_Register 4 API calls 66250->66251 66251->66254 66252->66254 66254->66128 66255 6c5bdccf 66254->66255 66256 6c5bdcb6 66254->66256 66259 6c5bdc69 _Yarn 66254->66259 66258 6c736a43 std::_Facet_Register 4 API calls 66255->66258 66257 6c736a43 std::_Facet_Register 4 API calls 66256->66257 66257->66259 66258->66259 66260 6c735960 104 API calls 66259->66260 66262 6c5bdd1c std::ios_base::_Ios_base_dtor 66260->66262 66261 6c734ff0 4 API calls 66261->66190 66262->66109 66262->66261 66264 6c736a48 66263->66264 66265 6c736a62 66264->66265 66268 6c736a64 std::_Facet_Register 66264->66268 66377 6c73f014 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66264->66377 66265->66107 66267 6c7378c3 std::_Facet_Register 66381 6c739379 RaiseException 66267->66381 66268->66267 66378 6c739379 RaiseException 66268->66378 66270 6c7380bc IsProcessorFeaturePresent 66276 6c7380e1 66270->66276 66272 6c737883 66379 6c739379 RaiseException 66272->66379 66274 6c7378a3 std::invalid_argument::invalid_argument 66380 6c739379 RaiseException 66274->66380 66276->66107 66278 6c72aed6 FindFirstFileA 66277->66278 66279 6c72aed4 66277->66279 66280 6c72af10 66278->66280 66279->66278 66281 6c72af14 FindClose 66280->66281 66282 6c72af72 66280->66282 66281->66280 66282->66113 66285 6c735156 66283->66285 66284 6c7351e8 OpenServiceA 66284->66285 66285->66284 66286 6c73522f 66285->66286 66286->66126 66292 6c7203a3 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66287->66292 66288 6c72310e CloseHandle 66288->66292 66289 6c723f5f CloseHandle 66289->66292 66290 6c72251b CloseHandle 66290->66292 66291 6c5c37cb 66295 6c735d60 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66291->66295 66292->66288 66292->66289 66292->66290 66292->66291 66293 6c70c1e0 WriteFile WriteFile WriteFile ReadFile 66292->66293 66382 6c70b730 66292->66382 66293->66292 66295->66124 66297 6c5d6bd5 66296->66297 66393 6c602020 66297->66393 66299 6c5d6c68 66300 6c736a43 std::_Facet_Register 4 API calls 66299->66300 66301 6c5d6ca0 66300->66301 66410 6c737327 66301->66410 66303 6c5d6cb4 66422 6c601d90 66303->66422 66306 6c5d6d8e 66306->66169 66308 6c5d6dc8 66430 6c6026e0 24 API calls 4 library calls 66308->66430 66310 6c5d6dda 66431 6c739379 RaiseException 66310->66431 66312 6c5d6def 66313 6c5fe010 67 API calls 66312->66313 66314 6c5d6e0f 66313->66314 66314->66169 66316 6c5d6e9f 66315->66316 66317 6c5d6eb3 66316->66317 66822 6c603560 32 API calls std::_Xinvalid_argument 66316->66822 66320 6c5d6f5b 66317->66320 66824 6c602250 30 API calls 66317->66824 66825 6c6026e0 24 API calls 4 library calls 66317->66825 66826 6c739379 RaiseException 66317->66826 66323 6c5d6f6e 66320->66323 66823 6c6037e0 32 API calls std::_Xinvalid_argument 66320->66823 66323->66169 66326 6c5d709e 66325->66326 66330 6c5d70d1 66325->66330 66827 6c6001f0 66326->66827 66328 6c5d7183 66328->66126 66330->66328 66831 6c602250 30 API calls 66330->66831 66331 6c740b18 67 API calls 66331->66330 66333 6c5d71ae 66832 6c602340 24 API calls 66333->66832 66335 6c5d71be 66833 6c739379 RaiseException 66335->66833 66337 6c5d71c9 66339 6c5fe04b 66338->66339 66340 6c5fe0a3 66339->66340 66341 6c6001f0 64 API calls 66339->66341 66340->66126 66342 6c5fe098 66341->66342 66343 6c740b18 67 API calls 66342->66343 66343->66340 66344->66153 66346 6c7350ca 66345->66346 66347 6c735080 WaitForSingleObject CloseHandle CloseHandle 66346->66347 66348 6c7350e3 66346->66348 66347->66346 66348->66161 66349->66177 66351 6c7359b7 66350->66351 66879 6c735ff0 66351->66879 66353 6c7359c8 66354 6c5d6ba0 104 API calls 66353->66354 66357 6c7359ec 66354->66357 66355 6c5fe010 67 API calls 66356 6c735a9f std::ios_base::_Ios_base_dtor 66355->66356 66359 6c5fe010 67 API calls 66356->66359 66360 6c735a54 66357->66360 66366 6c735a67 66357->66366 66898 6c736340 66357->66898 66906 6c612000 66357->66906 66362 6c735ae2 std::ios_base::_Ios_base_dtor 66359->66362 66916 6c735b90 66360->66916 66362->66214 66364 6c735a5c 66365 6c5d7090 77 API calls 66364->66365 66365->66366 66366->66355 66367->66203 66371 6c7352a0 std::locale::_Setgloballocale 66368->66371 66369 6c735277 CloseHandle 66369->66371 66370 6c735320 Process32NextW 66370->66371 66371->66369 66371->66370 66372 6c7353b1 66371->66372 66373 6c735345 Process32FirstW 66371->66373 66372->66127 66373->66371 66374->66149 66376->66132 66377->66264 66378->66272 66379->66274 66380->66267 66381->66270 66383 6c70b743 _Yarn __wsopen_s std::locale::_Setgloballocale 66382->66383 66384 6c70c180 66383->66384 66385 6c70bced CreateFileA 66383->66385 66387 6c70aa30 66383->66387 66384->66292 66385->66383 66390 6c70aa43 __wsopen_s std::locale::_Setgloballocale 66387->66390 66388 6c70b43d WriteFile 66388->66390 66389 6c70b3e9 WriteFile 66389->66390 66390->66388 66390->66389 66391 6c70b718 66390->66391 66392 6c70ab95 ReadFile 66390->66392 66391->66383 66392->66390 66394 6c736a43 std::_Facet_Register 4 API calls 66393->66394 66395 6c60207e 66394->66395 66396 6c737327 43 API calls 66395->66396 66397 6c602092 66396->66397 66432 6c602f60 42 API calls 4 library calls 66397->66432 66399 6c6020c8 66400 6c60210d 66399->66400 66401 6c602136 66399->66401 66402 6c602120 66400->66402 66433 6c736f8e 9 API calls 2 library calls 66400->66433 66434 6c602250 30 API calls 66401->66434 66402->66299 66405 6c60215b 66435 6c602340 24 API calls 66405->66435 66407 6c602171 66436 6c739379 RaiseException 66407->66436 66409 6c60217c 66409->66299 66411 6c737333 __EH_prolog3 66410->66411 66437 6c736eb5 66411->66437 66416 6c737351 66451 6c7373ba 39 API calls std::locale::_Setgloballocale 66416->66451 66417 6c7373ac 66417->66303 66419 6c737359 66452 6c7371b1 HeapFree GetLastError _Yarn 66419->66452 66421 6c73736f 66443 6c736ee6 66421->66443 66423 6c5d6d5d 66422->66423 66424 6c601ddc 66422->66424 66423->66306 66429 6c602250 30 API calls 66423->66429 66457 6c737447 66424->66457 66428 6c601e82 66429->66308 66430->66310 66431->66312 66432->66399 66433->66402 66434->66405 66435->66407 66436->66409 66438 6c736ec4 66437->66438 66439 6c736ecb 66437->66439 66453 6c7403cd 6 API calls std::_Lockit::_Lockit 66438->66453 66442 6c736ec9 66439->66442 66454 6c73858b EnterCriticalSection 66439->66454 66442->66421 66450 6c737230 6 API calls 2 library calls 66442->66450 66444 6c736ef0 66443->66444 66445 6c7403db 66443->66445 66449 6c736f03 66444->66449 66455 6c738599 LeaveCriticalSection 66444->66455 66456 6c7403b6 LeaveCriticalSection 66445->66456 66448 6c7403e2 66448->66417 66449->66417 66450->66416 66451->66419 66452->66421 66453->66442 66454->66442 66455->66449 66456->66448 66458 6c737450 66457->66458 66464 6c601dea 66458->66464 66466 6c73fd4a 66458->66466 66460 6c73749c 66460->66464 66477 6c73fa58 65 API calls 66460->66477 66462 6c7374b7 66462->66464 66478 6c740b18 66462->66478 66464->66423 66465 6c73c563 18 API calls __wsopen_s 66464->66465 66465->66428 66467 6c73fd55 __wsopen_s 66466->66467 66468 6c73fd68 66467->66468 66469 6c73fd88 66467->66469 66503 6c740120 18 API calls __wsopen_s 66468->66503 66473 6c73fd78 66469->66473 66489 6c74ae0c 66469->66489 66473->66460 66477->66462 66479 6c740b24 __wsopen_s 66478->66479 66480 6c740b43 66479->66480 66481 6c740b2e 66479->66481 66488 6c740b3e 66480->66488 66684 6c73c5a9 EnterCriticalSection 66480->66684 66699 6c740120 18 API calls __wsopen_s 66481->66699 66484 6c740b60 66685 6c740b9c 66484->66685 66486 6c740b6b 66700 6c740b92 LeaveCriticalSection 66486->66700 66488->66464 66490 6c74ae18 __wsopen_s 66489->66490 66505 6c74039f EnterCriticalSection 66490->66505 66492 6c74ae26 66506 6c74aeb0 66492->66506 66497 6c74af72 66498 6c74b091 66497->66498 66530 6c74b114 66498->66530 66501 6c73fdcc 66504 6c73fdf5 LeaveCriticalSection 66501->66504 66503->66473 66504->66473 66505->66492 66513 6c74aed3 66506->66513 66507 6c74ae33 66520 6c74ae6c 66507->66520 66508 6c74af2b 66525 6c7471e5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66508->66525 66510 6c74af34 66526 6c7447bb HeapFree GetLastError __dosmaperr 66510->66526 66513->66507 66513->66508 66523 6c73c5a9 EnterCriticalSection 66513->66523 66524 6c73c5bd LeaveCriticalSection 66513->66524 66514 6c74af3d 66514->66507 66527 6c746c1f 6 API calls std::_Lockit::_Lockit 66514->66527 66516 6c74af5c 66528 6c73c5a9 EnterCriticalSection 66516->66528 66519 6c74af6f 66519->66507 66529 6c7403b6 LeaveCriticalSection 66520->66529 66522 6c73fda3 66522->66473 66522->66497 66523->66513 66524->66513 66525->66510 66526->66514 66527->66516 66528->66519 66529->66522 66531 6c74b133 66530->66531 66532 6c74b146 66531->66532 66536 6c74b15b 66531->66536 66546 6c740120 18 API calls __wsopen_s 66532->66546 66534 6c74b0a7 66534->66501 66543 6c753fde 66534->66543 66536->66536 66541 6c74b27b 66536->66541 66547 6c753ea8 37 API calls __wsopen_s 66536->66547 66538 6c74b2cb 66538->66541 66548 6c753ea8 37 API calls __wsopen_s 66538->66548 66540 6c74b2e9 66540->66541 66549 6c753ea8 37 API calls __wsopen_s 66540->66549 66541->66534 66550 6c740120 18 API calls __wsopen_s 66541->66550 66551 6c754396 66543->66551 66546->66534 66547->66538 66548->66540 66549->66541 66550->66534 66553 6c7543a2 __wsopen_s 66551->66553 66552 6c7543a9 66569 6c740120 18 API calls __wsopen_s 66552->66569 66553->66552 66554 6c7543d4 66553->66554 66560 6c753ffe 66554->66560 66559 6c753ff9 66559->66501 66571 6c7406cb 66560->66571 66564 6c754034 66567 6c754066 66564->66567 66611 6c7447bb HeapFree GetLastError __dosmaperr 66564->66611 66570 6c75442b LeaveCriticalSection __wsopen_s 66567->66570 66569->66559 66570->66559 66612 6c73bceb 66571->66612 66574 6c7406ef 66576 6c73bdf6 66574->66576 66621 6c73be4e 66576->66621 66578 6c73be0e 66578->66564 66579 6c75406c 66578->66579 66636 6c7544ec 66579->66636 66585 6c75409e __dosmaperr 66585->66564 66586 6c754192 GetFileType 66587 6c7541e4 66586->66587 66588 6c75419d GetLastError 66586->66588 66666 6c7517b0 SetStdHandle __dosmaperr __wsopen_s 66587->66666 66665 6c73f9f2 __dosmaperr 66588->66665 66589 6c754167 GetLastError 66589->66585 66591 6c754115 66591->66586 66591->66589 66664 6c754457 CreateFileW 66591->66664 66593 6c7541ab CloseHandle 66593->66585 66608 6c7541d4 66593->66608 66594 6c75415a 66594->66586 66594->66589 66596 6c754205 66597 6c754251 66596->66597 66667 6c754666 70 API calls 2 library calls 66596->66667 66601 6c754258 66597->66601 66681 6c754710 70 API calls 2 library calls 66597->66681 66600 6c754286 66600->66601 66602 6c754294 66600->66602 66668 6c74b925 66601->66668 66602->66585 66604 6c754310 CloseHandle 66602->66604 66682 6c754457 CreateFileW 66604->66682 66606 6c75433b 66607 6c754345 GetLastError 66606->66607 66606->66608 66609 6c754351 __dosmaperr 66607->66609 66608->66585 66683 6c75171f SetStdHandle __dosmaperr __wsopen_s 66609->66683 66611->66567 66613 6c73bd0b 66612->66613 66619 6c73bd02 66612->66619 66614 6c7449b2 __Getctype 37 API calls 66613->66614 66613->66619 66615 6c73bd2b 66614->66615 66616 6c744f28 __Getctype 37 API calls 66615->66616 66617 6c73bd41 66616->66617 66618 6c744f55 __fassign 37 API calls 66617->66618 66618->66619 66619->66574 66620 6c7469d5 5 API calls std::_Lockit::_Lockit 66619->66620 66620->66574 66622 6c73be76 66621->66622 66623 6c73be5c 66621->66623 66625 6c73be7d 66622->66625 66626 6c73be9c 66622->66626 66624 6c73bddc __wsopen_s HeapFree GetLastError 66623->66624 66631 6c73be66 __dosmaperr 66624->66631 66629 6c73bd9d __wsopen_s HeapFree GetLastError 66625->66629 66625->66631 66627 6c744843 __fassign MultiByteToWideChar 66626->66627 66628 6c73beab 66627->66628 66630 6c73beb2 GetLastError 66628->66630 66632 6c73bed8 66628->66632 66633 6c73bd9d __wsopen_s HeapFree GetLastError 66628->66633 66629->66631 66630->66631 66631->66578 66632->66631 66634 6c744843 __fassign MultiByteToWideChar 66632->66634 66633->66632 66635 6c73beef 66634->66635 66635->66630 66635->66631 66637 6c754527 66636->66637 66639 6c75450d 66636->66639 66638 6c75447c __wsopen_s 18 API calls 66637->66638 66643 6c75455f 66638->66643 66639->66637 66640 6c740120 __wsopen_s 18 API calls 66639->66640 66640->66637 66641 6c75458e 66642 6c755911 __wsopen_s 18 API calls 66641->66642 66648 6c754089 66641->66648 66644 6c7545dc 66642->66644 66643->66641 66645 6c740120 __wsopen_s 18 API calls 66643->66645 66646 6c754659 66644->66646 66644->66648 66645->66641 66647 6c74014d __Getctype 11 API calls 66646->66647 66649 6c754665 66647->66649 66648->66585 66650 6c75160c 66648->66650 66651 6c751618 __wsopen_s 66650->66651 66652 6c74039f std::_Lockit::_Lockit EnterCriticalSection 66651->66652 66653 6c75161f 66652->66653 66655 6c751644 66653->66655 66659 6c7516b3 EnterCriticalSection 66653->66659 66660 6c751666 66653->66660 66654 6c751716 __wsopen_s LeaveCriticalSection 66656 6c751686 66654->66656 66657 6c751842 __wsopen_s 11 API calls 66655->66657 66656->66585 66663 6c754457 CreateFileW 66656->66663 66658 6c751649 66657->66658 66658->66660 66662 6c751990 __wsopen_s EnterCriticalSection 66658->66662 66659->66660 66661 6c7516c0 LeaveCriticalSection 66659->66661 66660->66654 66661->66653 66662->66660 66663->66591 66664->66594 66665->66593 66666->66596 66667->66597 66669 6c7515a2 __wsopen_s 18 API calls 66668->66669 66671 6c74b935 66669->66671 66670 6c74b93b 66673 6c75171f __wsopen_s SetStdHandle 66670->66673 66671->66670 66672 6c74b96d 66671->66672 66674 6c7515a2 __wsopen_s 18 API calls 66671->66674 66672->66670 66675 6c7515a2 __wsopen_s 18 API calls 66672->66675 66680 6c74b993 __dosmaperr 66673->66680 66676 6c74b964 66674->66676 66677 6c74b979 CloseHandle 66675->66677 66678 6c7515a2 __wsopen_s 18 API calls 66676->66678 66677->66670 66679 6c74b985 GetLastError 66677->66679 66678->66672 66679->66670 66680->66585 66681->66600 66682->66606 66683->66608 66684->66484 66686 6c740bbe 66685->66686 66687 6c740ba9 66685->66687 66691 6c740bb9 66686->66691 66701 6c740cb9 66686->66701 66723 6c740120 18 API calls __wsopen_s 66687->66723 66691->66486 66695 6c740be1 66716 6c74b898 66695->66716 66697 6c740be7 66697->66691 66724 6c7447bb HeapFree GetLastError __dosmaperr 66697->66724 66699->66488 66700->66488 66702 6c740cd1 66701->66702 66703 6c740bd3 66701->66703 66702->66703 66704 6c749c60 18 API calls 66702->66704 66707 6c74873e 66703->66707 66705 6c740cef 66704->66705 66725 6c74bb6c 66705->66725 66708 6c748755 66707->66708 66710 6c740bdb 66707->66710 66708->66710 66809 6c7447bb HeapFree GetLastError __dosmaperr 66708->66809 66711 6c749c60 66710->66711 66712 6c749c81 66711->66712 66713 6c749c6c 66711->66713 66712->66695 66810 6c740120 18 API calls __wsopen_s 66713->66810 66715 6c749c7c 66715->66695 66717 6c74b8be 66716->66717 66721 6c74b8a9 __dosmaperr 66716->66721 66718 6c74b8e5 66717->66718 66719 6c74b907 __dosmaperr 66717->66719 66811 6c74b9c1 66718->66811 66819 6c740120 18 API calls __wsopen_s 66719->66819 66721->66697 66723->66691 66724->66691 66726 6c74bb78 __wsopen_s 66725->66726 66727 6c74bbca 66726->66727 66729 6c74bc33 __dosmaperr 66726->66729 66732 6c74bb80 __dosmaperr 66726->66732 66736 6c751990 EnterCriticalSection 66727->66736 66766 6c740120 18 API calls __wsopen_s 66729->66766 66730 6c74bbd0 66734 6c74bbec __dosmaperr 66730->66734 66737 6c74bc5e 66730->66737 66732->66703 66765 6c74bc2b LeaveCriticalSection __wsopen_s 66734->66765 66736->66730 66738 6c74bc80 66737->66738 66764 6c74bc9c __dosmaperr 66737->66764 66739 6c74bcd4 66738->66739 66740 6c74bc84 __dosmaperr 66738->66740 66741 6c74bce7 66739->66741 66775 6c74ac69 20 API calls __wsopen_s 66739->66775 66774 6c740120 18 API calls __wsopen_s 66740->66774 66767 6c74be40 66741->66767 66746 6c74bd3c 66750 6c74bd95 WriteFile 66746->66750 66751 6c74bd50 66746->66751 66747 6c74bcfd 66748 6c74bd26 66747->66748 66749 6c74bd01 66747->66749 66777 6c74beb1 43 API calls 5 library calls 66748->66777 66749->66764 66776 6c74c25b 6 API calls __wsopen_s 66749->66776 66753 6c74bdb9 GetLastError 66750->66753 66750->66764 66754 6c74bd85 66751->66754 66755 6c74bd5b 66751->66755 66753->66764 66780 6c74c2c3 7 API calls 2 library calls 66754->66780 66758 6c74bd75 66755->66758 66759 6c74bd60 66755->66759 66779 6c74c487 8 API calls 3 library calls 66758->66779 66762 6c74bd65 66759->66762 66759->66764 66761 6c74bd73 66761->66764 66778 6c74c39e 7 API calls 2 library calls 66762->66778 66764->66734 66765->66732 66766->66732 66768 6c7519e5 __wsopen_s 18 API calls 66767->66768 66769 6c74be51 66768->66769 66770 6c74bcf8 66769->66770 66781 6c7449b2 GetLastError 66769->66781 66770->66746 66770->66747 66773 6c74be8e GetConsoleMode 66773->66770 66774->66764 66775->66741 66776->66764 66777->66764 66778->66761 66779->66761 66780->66761 66782 6c7449cf 66781->66782 66783 6c7449c9 66781->66783 66785 6c746b62 __Getctype 6 API calls 66782->66785 66787 6c7449d5 SetLastError 66782->66787 66784 6c746b23 __Getctype 6 API calls 66783->66784 66784->66782 66786 6c7449ed 66785->66786 66786->66787 66788 6c7449f1 66786->66788 66794 6c744a63 66787->66794 66795 6c744a69 66787->66795 66789 6c7471e5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 66788->66789 66790 6c7449fd 66789->66790 66792 6c744a05 66790->66792 66793 6c744a1c 66790->66793 66796 6c746b62 __Getctype 6 API calls 66792->66796 66798 6c746b62 __Getctype 6 API calls 66793->66798 66794->66770 66794->66773 66797 6c740ac9 __Getctype 35 API calls 66795->66797 66799 6c744a13 66796->66799 66800 6c744a6e 66797->66800 66801 6c744a28 66798->66801 66804 6c7447bb _free HeapFree GetLastError 66799->66804 66802 6c744a2c 66801->66802 66803 6c744a3d 66801->66803 66805 6c746b62 __Getctype 6 API calls 66802->66805 66807 6c7447bb _free HeapFree GetLastError 66803->66807 66806 6c744a19 66804->66806 66805->66799 66806->66787 66808 6c744a4f 66807->66808 66808->66787 66809->66710 66810->66715 66812 6c74b9cd __wsopen_s 66811->66812 66820 6c751990 EnterCriticalSection 66812->66820 66814 6c74b9db 66815 6c74b925 __wsopen_s 21 API calls 66814->66815 66816 6c74ba08 66814->66816 66815->66816 66821 6c74ba41 LeaveCriticalSection __wsopen_s 66816->66821 66818 6c74ba2a 66818->66721 66819->66721 66820->66814 66821->66818 66822->66317 66823->66323 66824->66317 66825->66317 66826->66317 66828 6c60022e 66827->66828 66829 6c5d70c4 66828->66829 66834 6c7417db 66828->66834 66829->66331 66831->66333 66832->66335 66833->66337 66835 6c741806 66834->66835 66836 6c7417e9 66834->66836 66835->66828 66836->66835 66837 6c74180a 66836->66837 66839 6c7417f6 66836->66839 66842 6c741a02 66837->66842 66850 6c740120 18 API calls __wsopen_s 66839->66850 66843 6c741a0e __wsopen_s 66842->66843 66851 6c73c5a9 EnterCriticalSection 66843->66851 66845 6c741a1c 66852 6c7419bf 66845->66852 66849 6c74183c 66849->66828 66850->66835 66851->66845 66860 6c7485a6 66852->66860 66858 6c7419f9 66859 6c741a51 LeaveCriticalSection 66858->66859 66859->66849 66861 6c749c60 18 API calls 66860->66861 66862 6c7485b7 66861->66862 66863 6c7519e5 __wsopen_s 18 API calls 66862->66863 66864 6c7485bd __wsopen_s 66863->66864 66865 6c7419d3 66864->66865 66877 6c7447bb HeapFree GetLastError __dosmaperr 66864->66877 66867 6c74183e 66865->66867 66869 6c741850 66867->66869 66871 6c74186e 66867->66871 66868 6c74185e 66878 6c740120 18 API calls __wsopen_s 66868->66878 66869->66868 66869->66871 66874 6c741886 _Yarn 66869->66874 66876 6c748659 62 API calls 66871->66876 66872 6c740cb9 62 API calls 66872->66874 66873 6c749c60 18 API calls 66873->66874 66874->66871 66874->66872 66874->66873 66875 6c74bb6c __wsopen_s 62 API calls 66874->66875 66875->66874 66876->66858 66877->66865 66878->66871 66880 6c736025 66879->66880 66881 6c602020 52 API calls 66880->66881 66882 6c7360c6 66881->66882 66883 6c736a43 std::_Facet_Register 4 API calls 66882->66883 66884 6c7360fe 66883->66884 66885 6c737327 43 API calls 66884->66885 66886 6c736112 66885->66886 66887 6c601d90 89 API calls 66886->66887 66888 6c7361bb 66887->66888 66889 6c7361ec 66888->66889 66931 6c602250 30 API calls 66888->66931 66889->66353 66891 6c736226 66932 6c6026e0 24 API calls 4 library calls 66891->66932 66893 6c736238 66933 6c739379 RaiseException 66893->66933 66895 6c73624d 66896 6c5fe010 67 API calls 66895->66896 66897 6c73625f 66896->66897 66897->66353 66899 6c73638d 66898->66899 66934 6c7365a0 66899->66934 66901 6c7363a5 66902 6c73647c 66901->66902 66952 6c602250 30 API calls 66901->66952 66953 6c6026e0 24 API calls 4 library calls 66901->66953 66954 6c739379 RaiseException 66901->66954 66902->66357 66907 6c61203f 66906->66907 66910 6c612053 66907->66910 66963 6c603560 32 API calls std::_Xinvalid_argument 66907->66963 66913 6c61210e 66910->66913 66965 6c602250 30 API calls 66910->66965 66966 6c6026e0 24 API calls 4 library calls 66910->66966 66967 6c739379 RaiseException 66910->66967 66912 6c612121 66912->66357 66913->66912 66964 6c6037e0 32 API calls std::_Xinvalid_argument 66913->66964 66917 6c735b9e 66916->66917 66921 6c735bd1 66916->66921 66918 6c6001f0 64 API calls 66917->66918 66920 6c735bc4 66918->66920 66919 6c735c83 66919->66364 66922 6c740b18 67 API calls 66920->66922 66921->66919 66968 6c602250 30 API calls 66921->66968 66922->66921 66924 6c735cae 66969 6c602340 24 API calls 66924->66969 66926 6c735cbe 66970 6c739379 RaiseException 66926->66970 66928 6c735cc9 66929 6c5fe010 67 API calls 66928->66929 66930 6c735d22 std::ios_base::_Ios_base_dtor 66929->66930 66930->66364 66931->66891 66932->66893 66933->66895 66935 6c736608 66934->66935 66936 6c7365dc 66934->66936 66940 6c736619 66935->66940 66955 6c603560 32 API calls std::_Xinvalid_argument 66935->66955 66939 6c736601 66936->66939 66957 6c602250 30 API calls 66936->66957 66939->66901 66940->66939 66956 6c602f60 42 API calls 4 library calls 66940->66956 66941 6c7367e8 66958 6c602340 24 API calls 66941->66958 66943 6c7367f7 66959 6c739379 RaiseException 66943->66959 66947 6c736827 66961 6c602340 24 API calls 66947->66961 66949 6c73683d 66962 6c739379 RaiseException 66949->66962 66951 6c736653 66951->66939 66960 6c602250 30 API calls 66951->66960 66952->66901 66953->66901 66954->66901 66955->66940 66956->66951 66957->66941 66958->66943 66959->66951 66960->66947 66961->66949 66962->66939 66963->66910 66964->66912 66965->66910 66966->66910 66967->66910 66968->66924 66969->66926 66970->66928 66971 6c5b3d62 66973 6c5b3bc0 66971->66973 66972 6c5b3e8a GetCurrentThread NtSetInformationThread 66974 6c5b3eea 66972->66974 66973->66972 66975 6c5c4a27 66979 6c5c4a5d _strlen 66975->66979 66976 6c5d639e 67066 6c740130 18 API calls 2 library calls 66976->67066 66977 6c5c5b6f 66982 6c736a43 std::_Facet_Register 4 API calls 66977->66982 66978 6c5c5b58 66981 6c736a43 std::_Facet_Register 4 API calls 66978->66981 66979->66976 66979->66977 66979->66978 66983 6c5c5b09 _Yarn 66979->66983 66981->66983 66982->66983 66984 6c72aec0 2 API calls 66983->66984 66986 6c5c5bad std::ios_base::_Ios_base_dtor 66984->66986 66985 6c734ff0 4 API calls 66995 6c5c61cb _strlen 66985->66995 66986->66976 66986->66985 66989 6c5c9ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66986->66989 66987 6c736a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66987->66989 66988 6c72aec0 2 API calls 66988->66989 66989->66976 66989->66987 66989->66988 66990 6c5ca292 Sleep 66989->66990 67008 6c5ce619 66989->67008 67007 6c5c9bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66990->67007 66991 6c5c660d 66994 6c736a43 std::_Facet_Register 4 API calls 66991->66994 66992 6c5c6624 66993 6c736a43 std::_Facet_Register 4 API calls 66992->66993 66999 6c5c65bc _Yarn _strlen 66993->66999 66994->66999 66995->66976 66995->66991 66995->66992 66995->66999 66996 6c5c9bbd GetCurrentProcess TerminateProcess 66996->66989 66997 6c5d63b2 67067 6c5b15e0 18 API calls std::ios_base::_Ios_base_dtor 66997->67067 66999->66997 67001 6c5c6989 66999->67001 67002 6c5c6970 66999->67002 67005 6c5c6920 _Yarn 66999->67005 67000 6c5d64f8 67004 6c736a43 std::_Facet_Register 4 API calls 67001->67004 67003 6c736a43 std::_Facet_Register 4 API calls 67002->67003 67003->67005 67004->67005 67006 6c735960 104 API calls 67005->67006 67009 6c5c69d6 std::ios_base::_Ios_base_dtor _strlen 67006->67009 67007->66976 67007->66989 67007->66996 67007->66997 67040 6c736a43 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 67007->67040 67063 6c735960 104 API calls 67007->67063 67065 6c734ff0 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 67007->67065 67010 6c5cf243 CreateFileA 67008->67010 67009->66976 67011 6c5c6dbb 67009->67011 67012 6c5c6dd2 67009->67012 67023 6c5c6d69 _Yarn _strlen 67009->67023 67024 6c5cf2a7 67010->67024 67013 6c736a43 std::_Facet_Register 4 API calls 67011->67013 67014 6c736a43 std::_Facet_Register 4 API calls 67012->67014 67013->67023 67014->67023 67015 6c5d02ca 67016 6c5c7427 67018 6c736a43 std::_Facet_Register 4 API calls 67016->67018 67017 6c5c7440 67019 6c736a43 std::_Facet_Register 4 API calls 67017->67019 67020 6c5c73da _Yarn 67018->67020 67019->67020 67022 6c735960 104 API calls 67020->67022 67021 6c5d02ac GetCurrentProcess TerminateProcess 67021->67015 67025 6c5c748d std::ios_base::_Ios_base_dtor _strlen 67022->67025 67023->66997 67023->67016 67023->67017 67023->67020 67024->67015 67024->67021 67025->66976 67026 6c5c79a8 67025->67026 67027 6c5c7991 67025->67027 67030 6c5c7940 _Yarn _strlen 67025->67030 67028 6c736a43 std::_Facet_Register 4 API calls 67026->67028 67029 6c736a43 std::_Facet_Register 4 API calls 67027->67029 67028->67030 67029->67030 67030->66997 67031 6c5c7dc9 67030->67031 67032 6c5c7de2 67030->67032 67035 6c5c7d7c _Yarn 67030->67035 67033 6c736a43 std::_Facet_Register 4 API calls 67031->67033 67034 6c736a43 std::_Facet_Register 4 API calls 67032->67034 67033->67035 67034->67035 67036 6c735960 104 API calls 67035->67036 67037 6c5c7e2f std::ios_base::_Ios_base_dtor _strlen 67036->67037 67037->66976 67038 6c5c85bf 67037->67038 67039 6c5c85a8 67037->67039 67047 6c5c8556 _Yarn _strlen 67037->67047 67042 6c736a43 std::_Facet_Register 4 API calls 67038->67042 67041 6c736a43 std::_Facet_Register 4 API calls 67039->67041 67040->67007 67041->67047 67042->67047 67043 6c5c896a 67045 6c736a43 std::_Facet_Register 4 API calls 67043->67045 67044 6c5c8983 67046 6c736a43 std::_Facet_Register 4 API calls 67044->67046 67048 6c5c891d _Yarn 67045->67048 67046->67048 67047->66997 67047->67043 67047->67044 67047->67048 67049 6c735960 104 API calls 67048->67049 67052 6c5c89d0 std::ios_base::_Ios_base_dtor _strlen 67049->67052 67050 6c5c8f1f 67053 6c736a43 std::_Facet_Register 4 API calls 67050->67053 67051 6c5c8f36 67054 6c736a43 std::_Facet_Register 4 API calls 67051->67054 67052->66976 67052->67050 67052->67051 67055 6c5c8ecd _Yarn _strlen 67052->67055 67053->67055 67054->67055 67055->66997 67056 6c5c936d 67055->67056 67057 6c5c9354 67055->67057 67060 6c5c9307 _Yarn 67055->67060 67059 6c736a43 std::_Facet_Register 4 API calls 67056->67059 67058 6c736a43 std::_Facet_Register 4 API calls 67057->67058 67058->67060 67059->67060 67061 6c735960 104 API calls 67060->67061 67064 6c5c93ba std::ios_base::_Ios_base_dtor 67061->67064 67062 6c734ff0 4 API calls 67062->66989 67063->67007 67064->66976 67064->67062 67065->67007 67067->67000 67068 6c5cf150 67070 6c5cefbe 67068->67070 67069 6c5cf243 CreateFileA 67073 6c5cf2a7 67069->67073 67070->67069 67071 6c5d02ca 67072 6c5d02ac GetCurrentProcess TerminateProcess 67072->67071 67073->67071 67073->67072 67074 6c73ef3f 67075 6c73ef4b __wsopen_s 67074->67075 67076 6c73ef52 GetLastError ExitThread 67075->67076 67077 6c73ef5f 67075->67077 67078 6c7449b2 __Getctype 37 API calls 67077->67078 67079 6c73ef64 67078->67079 67086 6c749d66 67079->67086 67082 6c73ef7b 67092 6c73eeaa 16 API calls 2 library calls 67082->67092 67085 6c73ef9d 67087 6c73ef6f 67086->67087 67088 6c749d78 GetPEB 67086->67088 67087->67082 67091 6c746d6f 5 API calls std::_Lockit::_Lockit 67087->67091 67088->67087 67089 6c749d8b 67088->67089 67093 6c746e18 5 API calls std::_Lockit::_Lockit 67089->67093 67091->67082 67092->67085 67093->67087

                                          Executed Functions

                                          Function 6C5B4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: HR^
                                          • API String ID: 4218353326-1341859651
                                          • Opcode ID: 51d27fc549e8db8d2079cddd78f3bde684866434a1a0784ce9057ddd4dd2fbfa
                                          • Instruction ID: 752207de85e63a6ac6a3db0b1abe3c2c188e57518bceba60970c83ee5f24fedd
                                          • Opcode Fuzzy Hash: 51d27fc549e8db8d2079cddd78f3bde684866434a1a0784ce9057ddd4dd2fbfa
                                          • Instruction Fuzzy Hash: 19740771644B028FC728CF28CCE0695B7F3FF95318B198A6DC0969BA55EB74B54ACB40
                                          Function 6C5C4A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: }jk$;T55$L@^
                                          • API String ID: 0-4218709813
                                          • Opcode ID: e2091b211bf861d024357b6b13cc89303640605c21ed69ce39d5e2f29d4687cb
                                          • Instruction ID: 5e4f31a1cc6121a90b0b4d1cd2493ceb009576baadf4cc49e9a24fd5cb953f05
                                          • Opcode Fuzzy Hash: e2091b211bf861d024357b6b13cc89303640605c21ed69ce39d5e2f29d4687cb
                                          • Instruction Fuzzy Hash: 09342771744B018FC728CF68CCD0A95B7E3EF95318B198A2DC0A68BB55EB74B54ACB41
                                          Function 6C735240 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7677 6c735240-6c735275 CreateToolhelp32Snapshot 7678 6c7352a0-6c7352a9 7677->7678 7679 6c7352e0-6c7352e5 7678->7679 7680 6c7352ab-6c7352b0 7678->7680 7681 6c735377-6c7353a1 call 6c742c05 7679->7681 7682 6c7352eb-6c7352f0 7679->7682 7683 6c7352b2-6c7352b7 7680->7683 7684 6c735315-6c73531a 7680->7684 7681->7678 7685 6c7352f2-6c7352f7 7682->7685 7686 6c735277-6c735292 CloseHandle 7682->7686 7690 6c735334-6c73535d call 6c73b920 Process32FirstW 7683->7690 7691 6c7352b9-6c7352be 7683->7691 7687 6c735320-6c735332 Process32NextW 7684->7687 7688 6c7353a6-6c7353ab 7684->7688 7685->7678 7692 6c7352f9-6c735313 7685->7692 7686->7678 7693 6c735362-6c735372 7687->7693 7688->7678 7696 6c7353b1-6c7353bf 7688->7696 7690->7693 7691->7678 7697 6c7352c0-6c7352d1 7691->7697 7692->7678 7693->7678 7697->7678
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C73524E
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: CreateSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3332741929-0
                                          • Opcode ID: 56ff874fa11abcb6d2e72113aa4be17224c596d68c7b2494e6b3cb4f766deeb1
                                          • Instruction ID: 621aba03d5160dc48ade5da7afadd9748adebdbd9c6ffab504fa27be325280e1
                                          • Opcode Fuzzy Hash: 56ff874fa11abcb6d2e72113aa4be17224c596d68c7b2494e6b3cb4f766deeb1
                                          • Instruction Fuzzy Hash: 15317CB46093009FC7609F68D988B0ABBF4AF96758F50993EE48CC7361D771D8488B96
                                          Function 6C5B3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7821 6c5b3886-6c5b388e 7822 6c5b3970-6c5b397d 7821->7822 7823 6c5b3894-6c5b3896 7821->7823 7825 6c5b397f-6c5b3989 7822->7825 7826 6c5b39f1-6c5b39f8 7822->7826 7823->7822 7824 6c5b389c-6c5b38b9 7823->7824 7829 6c5b38c0-6c5b38c1 7824->7829 7825->7824 7830 6c5b398f-6c5b3994 7825->7830 7827 6c5b39fe-6c5b3a03 7826->7827 7828 6c5b3ab5-6c5b3aba 7826->7828 7831 6c5b3a09-6c5b3a2f 7827->7831 7832 6c5b38d2-6c5b38d4 7827->7832 7828->7824 7834 6c5b3ac0-6c5b3ac7 7828->7834 7833 6c5b395e 7829->7833 7835 6c5b399a-6c5b399f 7830->7835 7836 6c5b3b16-6c5b3b18 7830->7836 7837 6c5b38f8-6c5b3955 7831->7837 7838 6c5b3a35-6c5b3a3a 7831->7838 7839 6c5b3957-6c5b395c 7832->7839 7840 6c5b3960-6c5b3964 7833->7840 7834->7829 7841 6c5b3acd-6c5b3ad6 7834->7841 7842 6c5b383b-6c5b3855 call 6c701470 call 6c701480 7835->7842 7843 6c5b39a5-6c5b39bf 7835->7843 7836->7829 7837->7839 7845 6c5b3b1d-6c5b3b22 7838->7845 7846 6c5b3a40-6c5b3a57 7838->7846 7839->7833 7848 6c5b396a 7840->7848 7849 6c5b3860-6c5b3885 7840->7849 7841->7836 7850 6c5b3ad8-6c5b3aeb 7841->7850 7842->7849 7844 6c5b3a5a-6c5b3a5d 7843->7844 7853 6c5b3aa9-6c5b3ab0 7844->7853 7851 6c5b3b49-6c5b3b50 7845->7851 7852 6c5b3b24-6c5b3b44 7845->7852 7846->7844 7855 6c5b3ba1-6c5b3bb6 7848->7855 7849->7821 7850->7837 7856 6c5b3af1-6c5b3af8 7850->7856 7851->7829 7859 6c5b3b56-6c5b3b5d 7851->7859 7852->7853 7853->7840 7860 6c5b3bc0-6c5b3bda call 6c701470 call 6c701480 7855->7860 7862 6c5b3afa-6c5b3aff 7856->7862 7863 6c5b3b62-6c5b3b85 7856->7863 7859->7840 7872 6c5b3be0-6c5b3bfe 7860->7872 7862->7839 7863->7837 7866 6c5b3b8b 7863->7866 7866->7855 7875 6c5b3e7b 7872->7875 7876 6c5b3c04-6c5b3c11 7872->7876 7879 6c5b3e81-6c5b3ee0 call 6c5b3750 GetCurrentThread NtSetInformationThread 7875->7879 7877 6c5b3ce0-6c5b3cea 7876->7877 7878 6c5b3c17-6c5b3c20 7876->7878 7882 6c5b3d3a-6c5b3d3c 7877->7882 7883 6c5b3cec-6c5b3d0c 7877->7883 7880 6c5b3c26-6c5b3c2d 7878->7880 7881 6c5b3dc5 7878->7881 7898 6c5b3eea-6c5b3f04 call 6c701470 call 6c701480 7879->7898 7885 6c5b3dc3 7880->7885 7886 6c5b3c33-6c5b3c3a 7880->7886 7888 6c5b3dc6 7881->7888 7889 6c5b3d3e-6c5b3d45 7882->7889 7890 6c5b3d70-6c5b3d8d 7882->7890 7887 6c5b3d90-6c5b3d95 7883->7887 7885->7881 7892 6c5b3c40-6c5b3c5b 7886->7892 7893 6c5b3e26-6c5b3e2b 7886->7893 7896 6c5b3dba-6c5b3dc1 7887->7896 7897 6c5b3d97-6c5b3db8 7887->7897 7894 6c5b3dc8-6c5b3dcc 7888->7894 7895 6c5b3d50-6c5b3d57 7889->7895 7890->7887 7899 6c5b3e1b-6c5b3e24 7892->7899 7900 6c5b3c7b-6c5b3cd0 7893->7900 7901 6c5b3e31 7893->7901 7894->7872 7902 6c5b3dd2 7894->7902 7895->7888 7896->7885 7903 6c5b3dd7-6c5b3ddc 7896->7903 7897->7881 7915 6c5b3f75-6c5b3fa1 7898->7915 7899->7894 7908 6c5b3e76-6c5b3e79 7899->7908 7900->7895 7901->7860 7902->7908 7905 6c5b3dde-6c5b3e17 7903->7905 7906 6c5b3e36-6c5b3e3d 7903->7906 7905->7899 7911 6c5b3e3f-6c5b3e5a 7906->7911 7912 6c5b3e5c-6c5b3e5f 7906->7912 7908->7879 7911->7899 7912->7900 7914 6c5b3e65-6c5b3e69 7912->7914 7914->7894 7914->7908 7919 6c5b3fa3-6c5b3fa8 7915->7919 7920 6c5b4020-6c5b4026 7915->7920 7921 6c5b3fae-6c5b3fcf 7919->7921 7922 6c5b407c-6c5b4081 7919->7922 7923 6c5b402c-6c5b403c 7920->7923 7924 6c5b3f06-6c5b3f35 7920->7924 7925 6c5b40aa-6c5b40ae 7921->7925 7922->7925 7926 6c5b4083-6c5b408a 7922->7926 7928 6c5b403e-6c5b4058 7923->7928 7929 6c5b40b3-6c5b40b8 7923->7929 7927 6c5b3f38-6c5b3f61 7924->7927 7933 6c5b3f6b-6c5b3f6f 7925->7933 7926->7927 7931 6c5b4090 7926->7931 7934 6c5b3f64-6c5b3f67 7927->7934 7930 6c5b405a-6c5b4063 7928->7930 7929->7921 7932 6c5b40be-6c5b40c9 7929->7932 7935 6c5b4069-6c5b406c 7930->7935 7936 6c5b40f5-6c5b413f 7930->7936 7931->7898 7937 6c5b40a7 7931->7937 7932->7925 7938 6c5b40cb-6c5b40d4 7932->7938 7933->7915 7939 6c5b3f69 7934->7939 7940 6c5b4072-6c5b4077 7935->7940 7941 6c5b4144-6c5b414b 7935->7941 7936->7939 7937->7925 7938->7937 7942 6c5b40d6-6c5b40f0 7938->7942 7939->7933 7940->7934 7941->7933 7942->7930
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2938de3d2a6f8a181ee35d9c056a9641e091d0fa418aba7edbd7de9b87cafc01
                                          • Instruction ID: 08af0fa0975706f45ffb937d70b2dce12fb8721c2464af43cd14ad758494a3bd
                                          • Opcode Fuzzy Hash: 2938de3d2a6f8a181ee35d9c056a9641e091d0fa418aba7edbd7de9b87cafc01
                                          • Instruction Fuzzy Hash: A232A432245B018FC324CF28CCE0695BBE3EFD53147698A6DC0EA6BA55DB75B44ACB50
                                          Function 6C5B3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7969 6c5b3a6a-6c5b3a85 7970 6c5b3a87-6c5b3aa7 7969->7970 7971 6c5b3aa9-6c5b3ab0 7970->7971 7972 6c5b3960-6c5b3964 7971->7972 7973 6c5b396a 7972->7973 7974 6c5b3860-6c5b388e 7972->7974 7975 6c5b3ba1-6c5b3bb6 7973->7975 7983 6c5b3970-6c5b397d 7974->7983 7984 6c5b3894-6c5b3896 7974->7984 7977 6c5b3bc0-6c5b3bda call 6c701470 call 6c701480 7975->7977 7993 6c5b3be0-6c5b3bfe 7977->7993 7988 6c5b397f-6c5b3989 7983->7988 7989 6c5b39f1-6c5b39f8 7983->7989 7984->7983 7986 6c5b389c-6c5b38b9 7984->7986 7992 6c5b38c0-6c5b38c1 7986->7992 7988->7986 7994 6c5b398f-6c5b3994 7988->7994 7990 6c5b39fe-6c5b3a03 7989->7990 7991 6c5b3ab5-6c5b3aba 7989->7991 7995 6c5b3a09-6c5b3a2f 7990->7995 7996 6c5b38d2-6c5b38d4 7990->7996 7991->7986 7998 6c5b3ac0-6c5b3ac7 7991->7998 7997 6c5b395e 7992->7997 8014 6c5b3e7b 7993->8014 8015 6c5b3c04-6c5b3c11 7993->8015 8000 6c5b399a-6c5b399f 7994->8000 8001 6c5b3b16-6c5b3b18 7994->8001 8002 6c5b38f8-6c5b3955 7995->8002 8003 6c5b3a35-6c5b3a3a 7995->8003 8004 6c5b3957-6c5b395c 7996->8004 7997->7972 7998->7992 8005 6c5b3acd-6c5b3ad6 7998->8005 8007 6c5b383b-6c5b3855 call 6c701470 call 6c701480 8000->8007 8008 6c5b39a5-6c5b39bf 8000->8008 8001->7992 8002->8004 8010 6c5b3b1d-6c5b3b22 8003->8010 8011 6c5b3a40-6c5b3a57 8003->8011 8004->7997 8005->8001 8013 6c5b3ad8-6c5b3aeb 8005->8013 8007->7974 8009 6c5b3a5a-6c5b3a5d 8008->8009 8009->7971 8016 6c5b3b49-6c5b3b50 8010->8016 8017 6c5b3b24-6c5b3b44 8010->8017 8011->8009 8013->8002 8022 6c5b3af1-6c5b3af8 8013->8022 8021 6c5b3e81-6c5b3ee0 call 6c5b3750 GetCurrentThread NtSetInformationThread 8014->8021 8018 6c5b3ce0-6c5b3cea 8015->8018 8019 6c5b3c17-6c5b3c20 8015->8019 8016->7992 8025 6c5b3b56-6c5b3b5d 8016->8025 8017->7970 8026 6c5b3d3a-6c5b3d3c 8018->8026 8027 6c5b3cec-6c5b3d0c 8018->8027 8023 6c5b3c26-6c5b3c2d 8019->8023 8024 6c5b3dc5 8019->8024 8047 6c5b3eea-6c5b3f04 call 6c701470 call 6c701480 8021->8047 8030 6c5b3afa-6c5b3aff 8022->8030 8031 6c5b3b62-6c5b3b85 8022->8031 8032 6c5b3dc3 8023->8032 8033 6c5b3c33-6c5b3c3a 8023->8033 8036 6c5b3dc6 8024->8036 8025->7972 8037 6c5b3d3e-6c5b3d45 8026->8037 8038 6c5b3d70-6c5b3d8d 8026->8038 8035 6c5b3d90-6c5b3d95 8027->8035 8030->8004 8031->8002 8034 6c5b3b8b 8031->8034 8032->8024 8041 6c5b3c40-6c5b3c5b 8033->8041 8042 6c5b3e26-6c5b3e2b 8033->8042 8034->7975 8045 6c5b3dba-6c5b3dc1 8035->8045 8046 6c5b3d97-6c5b3db8 8035->8046 8043 6c5b3dc8-6c5b3dcc 8036->8043 8044 6c5b3d50-6c5b3d57 8037->8044 8038->8035 8048 6c5b3e1b-6c5b3e24 8041->8048 8049 6c5b3c7b-6c5b3cd0 8042->8049 8050 6c5b3e31 8042->8050 8043->7993 8051 6c5b3dd2 8043->8051 8044->8036 8045->8032 8052 6c5b3dd7-6c5b3ddc 8045->8052 8046->8024 8064 6c5b3f75-6c5b3fa1 8047->8064 8048->8043 8057 6c5b3e76-6c5b3e79 8048->8057 8049->8044 8050->7977 8051->8057 8054 6c5b3dde-6c5b3e17 8052->8054 8055 6c5b3e36-6c5b3e3d 8052->8055 8054->8048 8060 6c5b3e3f-6c5b3e5a 8055->8060 8061 6c5b3e5c-6c5b3e5f 8055->8061 8057->8021 8060->8048 8061->8049 8063 6c5b3e65-6c5b3e69 8061->8063 8063->8043 8063->8057 8068 6c5b3fa3-6c5b3fa8 8064->8068 8069 6c5b4020-6c5b4026 8064->8069 8070 6c5b3fae-6c5b3fcf 8068->8070 8071 6c5b407c-6c5b4081 8068->8071 8072 6c5b402c-6c5b403c 8069->8072 8073 6c5b3f06-6c5b3f35 8069->8073 8074 6c5b40aa-6c5b40ae 8070->8074 8071->8074 8075 6c5b4083-6c5b408a 8071->8075 8077 6c5b403e-6c5b4058 8072->8077 8078 6c5b40b3-6c5b40b8 8072->8078 8076 6c5b3f38-6c5b3f61 8073->8076 8082 6c5b3f6b-6c5b3f6f 8074->8082 8075->8076 8080 6c5b4090 8075->8080 8083 6c5b3f64-6c5b3f67 8076->8083 8079 6c5b405a-6c5b4063 8077->8079 8078->8070 8081 6c5b40be-6c5b40c9 8078->8081 8084 6c5b4069-6c5b406c 8079->8084 8085 6c5b40f5-6c5b413f 8079->8085 8080->8047 8086 6c5b40a7 8080->8086 8081->8074 8087 6c5b40cb-6c5b40d4 8081->8087 8082->8064 8088 6c5b3f69 8083->8088 8089 6c5b4072-6c5b4077 8084->8089 8090 6c5b4144-6c5b414b 8084->8090 8085->8088 8086->8074 8087->8086 8091 6c5b40d6-6c5b40f0 8087->8091 8088->8082 8089->8083 8090->8082 8091->8079
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: CurrentThread
                                          • String ID:
                                          • API String ID: 2882836952-0
                                          • Opcode ID: 027ba52aeb38c9d559805223ef86fbc57a9eb562ea6ad2327507919fc480766b
                                          • Instruction ID: ab4919f70b4e8111e28c1d64f3d3fe06effa56b563fc41fcedc806a4fd9966e3
                                          • Opcode Fuzzy Hash: 027ba52aeb38c9d559805223ef86fbc57a9eb562ea6ad2327507919fc480766b
                                          • Instruction Fuzzy Hash: C851DF716457018FC320CF28C8A4785BBE3BF91314F698E1DD0EA2BA95DB75B44A8B91
                                          Function 6C5B39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: CurrentThread
                                          • String ID:
                                          • API String ID: 2882836952-0
                                          • Opcode ID: e83524e773b8b814c1ccfe3c65dc766cdb209f78cdc11bc0cb2d6de3105128fe
                                          • Instruction ID: dfe0bb9c6c22c5cb77491a2f602a02bd2ff248c7bc6ec8fb762b9651886b0e27
                                          • Opcode Fuzzy Hash: e83524e773b8b814c1ccfe3c65dc766cdb209f78cdc11bc0cb2d6de3105128fe
                                          • Instruction Fuzzy Hash: AE51BF71504B018BC320CF28C8A0795BBA3BF95314F658E1DD0EA7BAA5DF71B44A8B91
                                          Function 6C5B3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6C5B3E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C5B3EAA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: 7b4d38fc167323a0e96f71fb5b76c6598b38a1068fc9808394756df1c79d37e5
                                          • Instruction ID: c130909cdec608e9b504dc7b04657a3de9acf20fbfeb4aa9a486002c52512420
                                          • Opcode Fuzzy Hash: 7b4d38fc167323a0e96f71fb5b76c6598b38a1068fc9808394756df1c79d37e5
                                          • Instruction Fuzzy Hash: 39310031645B01CFC730CF28CCA47C6BBA2AF96318F194E1DD0AA6BA90DB7574099B51
                                          Function 6C5B3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6C5B3E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C5B3EAA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: 9dae457ccb4fe53f3034fe3e3685e6657048b3d945fd8614e43b84e361a82ad1
                                          • Instruction ID: de8a05bb5492115dfbfd9af8848b33f7414a3b23b3f3671fd58166d603c817f5
                                          • Opcode Fuzzy Hash: 9dae457ccb4fe53f3034fe3e3685e6657048b3d945fd8614e43b84e361a82ad1
                                          • Instruction Fuzzy Hash: 2A31EF31104B01CFC734CF28C8A4796BFA6AF96308F654E1DD0AA7BA95DB717449CB91
                                          Function 6C5B3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 6C5B3E9D
                                          • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C5B3EAA
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: Thread$CurrentInformation
                                          • String ID:
                                          • API String ID: 1650627709-0
                                          • Opcode ID: 420ca538dda8027e8d9a147851821fcd539486bb667c6979c4b35b77d8a8d038
                                          • Instruction ID: 3ef4ec12c37d8818dc722b589e90c1e76f44e04599cad7e53fb38198a1a069b7
                                          • Opcode Fuzzy Hash: 420ca538dda8027e8d9a147851821fcd539486bb667c6979c4b35b77d8a8d038
                                          • Instruction Fuzzy Hash: 7121E270618701CBD734CF64CCA47967FA6AF82308F554E2DD0AA7BA90DF75A4088B51
                                          Function 6C735120 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C735130
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID:
                                          • API String ID: 1889721586-0
                                          • Opcode ID: a43a52472e2be84ae3001c4a06d619613ef265c70b26912d624b97738886a4da
                                          • Instruction ID: a9f0ca930cff717490394cfa081d76a9793306fc4cea32eea7eab47db4417e0e
                                          • Opcode Fuzzy Hash: a43a52472e2be84ae3001c4a06d619613ef265c70b26912d624b97738886a4da
                                          • Instruction Fuzzy Hash: ED3149B4608311EFC7508F68D644A0ABBF0ABC9758F509D6AF888C6361D371C844DB93
                                          Function 6C72AEC0 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(?,?), ref: 6C72AEDC
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: 587e291e1040877d8748c615272f36f1e878cf28a10db95badd1e55417a7f946
                                          • Instruction ID: dc61514b3f4eacc3d05423c5049adab32e6cf8e0e73d5abef1cb937c525e1ed8
                                          • Opcode Fuzzy Hash: 587e291e1040877d8748c615272f36f1e878cf28a10db95badd1e55417a7f946
                                          • Instruction Fuzzy Hash: 10114CB4509350AFD7208F28D64450EBBE4BF86324F148E69F4A9CB791D338CC44CB62
                                          Function 6C70AA30 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C70ABA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                                          • API String ID: 2738559852-1563143607
                                          • Opcode ID: d055e34800bbdbc75589130e44cacf13c9a4d0d335aca5d435efc7c6f130cd4d
                                          • Instruction ID: 32ca3ee4d0e4af0404b9588ef1ca567ba7e6e77ac9dc3721ba78743e30a09639
                                          • Opcode Fuzzy Hash: d055e34800bbdbc75589130e44cacf13c9a4d0d335aca5d435efc7c6f130cd4d
                                          • Instruction Fuzzy Hash: B66269B060D3818FC724CF18C590A5ABBE2AFD9314F248D6EE9A9CB751D734E9458B43
                                          Function 6C74CAD3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6824 6c74cad3-6c74cae3 6825 6c74cae5-6c74caf8 call 6c73f9df call 6c73f9cc 6824->6825 6826 6c74cafd-6c74caff 6824->6826 6840 6c74ce7c 6825->6840 6827 6c74ce64-6c74ce71 call 6c73f9df call 6c73f9cc 6826->6827 6828 6c74cb05-6c74cb0b 6826->6828 6846 6c74ce77 call 6c740120 6827->6846 6828->6827 6832 6c74cb11-6c74cb37 6828->6832 6832->6827 6835 6c74cb3d-6c74cb46 6832->6835 6838 6c74cb60-6c74cb62 6835->6838 6839 6c74cb48-6c74cb5b call 6c73f9df call 6c73f9cc 6835->6839 6843 6c74ce60-6c74ce62 6838->6843 6844 6c74cb68-6c74cb6b 6838->6844 6839->6846 6845 6c74ce7f-6c74ce82 6840->6845 6843->6845 6844->6843 6848 6c74cb71-6c74cb75 6844->6848 6846->6840 6848->6839 6851 6c74cb77-6c74cb8e 6848->6851 6852 6c74cb90-6c74cb93 6851->6852 6853 6c74cbdf-6c74cbe5 6851->6853 6855 6c74cb95-6c74cb9e 6852->6855 6856 6c74cba3-6c74cba9 6852->6856 6857 6c74cbe7-6c74cbf1 6853->6857 6858 6c74cbab-6c74cbc2 call 6c73f9df call 6c73f9cc call 6c740120 6853->6858 6859 6c74cc63-6c74cc73 6855->6859 6856->6858 6860 6c74cbc7-6c74cbda 6856->6860 6862 6c74cbf3-6c74cbf5 6857->6862 6863 6c74cbf8-6c74cc16 call 6c7447f5 call 6c7447bb * 2 6857->6863 6890 6c74cd97 6858->6890 6865 6c74cd38-6c74cd41 call 6c7519e5 6859->6865 6866 6c74cc79-6c74cc85 6859->6866 6860->6859 6862->6863 6894 6c74cc33-6c74cc5c call 6c74ac69 6863->6894 6895 6c74cc18-6c74cc2e call 6c73f9cc call 6c73f9df 6863->6895 6879 6c74cdb4 6865->6879 6880 6c74cd43-6c74cd55 6865->6880 6866->6865 6871 6c74cc8b-6c74cc8d 6866->6871 6871->6865 6872 6c74cc93-6c74ccb7 6871->6872 6872->6865 6876 6c74ccb9-6c74cccf 6872->6876 6876->6865 6881 6c74ccd1-6c74ccd3 6876->6881 6883 6c74cdb8-6c74cdd0 ReadFile 6879->6883 6880->6879 6885 6c74cd57-6c74cd66 GetConsoleMode 6880->6885 6881->6865 6886 6c74ccd5-6c74ccfb 6881->6886 6888 6c74cdd2-6c74cdd8 6883->6888 6889 6c74ce2c-6c74ce37 GetLastError 6883->6889 6885->6879 6891 6c74cd68-6c74cd6c 6885->6891 6886->6865 6893 6c74ccfd-6c74cd13 6886->6893 6888->6889 6898 6c74cdda 6888->6898 6896 6c74ce50-6c74ce53 6889->6896 6897 6c74ce39-6c74ce4b call 6c73f9cc call 6c73f9df 6889->6897 6892 6c74cd9a-6c74cda4 call 6c7447bb 6890->6892 6891->6883 6899 6c74cd6e-6c74cd88 ReadConsoleW 6891->6899 6892->6845 6893->6865 6901 6c74cd15-6c74cd17 6893->6901 6894->6859 6895->6890 6908 6c74cd90-6c74cd96 call 6c73f9f2 6896->6908 6909 6c74ce59-6c74ce5b 6896->6909 6897->6890 6905 6c74cddd-6c74cdef 6898->6905 6906 6c74cda9-6c74cdb2 6899->6906 6907 6c74cd8a GetLastError 6899->6907 6901->6865 6912 6c74cd19-6c74cd33 6901->6912 6905->6892 6916 6c74cdf1-6c74cdf5 6905->6916 6906->6905 6907->6908 6908->6890 6909->6892 6912->6865 6920 6c74cdf7-6c74ce07 call 6c74cefe 6916->6920 6921 6c74ce0e-6c74ce19 6916->6921 6930 6c74ce0a-6c74ce0c 6920->6930 6922 6c74ce25-6c74ce2a call 6c74d1b6 6921->6922 6923 6c74ce1b call 6c74ce83 6921->6923 6931 6c74ce20-6c74ce23 6922->6931 6923->6931 6930->6892 6931->6930
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8Q
                                          • API String ID: 0-4022487301
                                          • Opcode ID: e126b907dd6c2290f65518f3c5b05bc5dc7f027455fd012229d11e184be16a84
                                          • Instruction ID: 3f031db92b8da7571bc40645cc688598244f80d3f136a1cf132ea3ea67e96106
                                          • Opcode Fuzzy Hash: e126b907dd6c2290f65518f3c5b05bc5dc7f027455fd012229d11e184be16a84
                                          • Instruction Fuzzy Hash: 6DC10570A04359AFDF01DFA9CA85BEDBFB4AF0A319F108169E454AB781C7719909CF60
                                          Function 6C75406C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6933 6c75406c-6c75409c call 6c7544ec 6936 6c7540b7-6c7540c3 call 6c75160c 6933->6936 6937 6c75409e-6c7540a9 call 6c73f9df 6933->6937 6942 6c7540c5-6c7540da call 6c73f9df call 6c73f9cc 6936->6942 6943 6c7540dc-6c754125 call 6c754457 6936->6943 6944 6c7540ab-6c7540b2 call 6c73f9cc 6937->6944 6942->6944 6953 6c754127-6c754130 6943->6953 6954 6c754192-6c75419b GetFileType 6943->6954 6951 6c754391-6c754395 6944->6951 6958 6c754167-6c75418d GetLastError call 6c73f9f2 6953->6958 6959 6c754132-6c754136 6953->6959 6955 6c7541e4-6c7541e7 6954->6955 6956 6c75419d-6c7541ce GetLastError call 6c73f9f2 CloseHandle 6954->6956 6962 6c7541f0-6c7541f6 6955->6962 6963 6c7541e9-6c7541ee 6955->6963 6956->6944 6972 6c7541d4-6c7541df call 6c73f9cc 6956->6972 6958->6944 6959->6958 6964 6c754138-6c754165 call 6c754457 6959->6964 6968 6c7541fa-6c754248 call 6c7517b0 6962->6968 6969 6c7541f8 6962->6969 6963->6968 6964->6954 6964->6958 6975 6c754267-6c75428f call 6c754710 6968->6975 6976 6c75424a-6c754256 call 6c754666 6968->6976 6969->6968 6972->6944 6983 6c754294-6c7542d5 6975->6983 6984 6c754291-6c754292 6975->6984 6976->6975 6982 6c754258 6976->6982 6985 6c75425a-6c754262 call 6c74b925 6982->6985 6986 6c7542d7-6c7542db 6983->6986 6987 6c7542f6-6c754304 6983->6987 6984->6985 6985->6951 6986->6987 6988 6c7542dd-6c7542f1 6986->6988 6989 6c75438f 6987->6989 6990 6c75430a-6c75430e 6987->6990 6988->6987 6989->6951 6990->6989 6992 6c754310-6c754343 CloseHandle call 6c754457 6990->6992 6996 6c754345-6c754371 GetLastError call 6c73f9f2 call 6c75171f 6992->6996 6997 6c754377-6c75438b 6992->6997 6996->6997 6997->6989
                                          APIs
                                            • Part of subcall function 6C754457: CreateFileW.KERNEL32(00000000,00000000,?,6C754115,?,?,00000000,?,6C754115,00000000,0000000C), ref: 6C754474
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C754180
                                          • __dosmaperr.LIBCMT ref: 6C754187
                                          • GetFileType.KERNEL32(00000000), ref: 6C754193
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C75419D
                                          • __dosmaperr.LIBCMT ref: 6C7541A6
                                          • CloseHandle.KERNEL32(00000000), ref: 6C7541C6
                                          • CloseHandle.KERNEL32(6C74B0D0), ref: 6C754313
                                          • GetLastError.KERNEL32 ref: 6C754345
                                          • __dosmaperr.LIBCMT ref: 6C75434C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: 8Q
                                          • API String ID: 4237864984-4022487301
                                          • Opcode ID: 776c30034bf8efd51374a1b4a90455126555cdf6b10a940d65cda7f9996b641e
                                          • Instruction ID: a89c842beb91a2f36640b3220714bae1b94898ecb31c3a86772a47bfa5fbf71c
                                          • Opcode Fuzzy Hash: 776c30034bf8efd51374a1b4a90455126555cdf6b10a940d65cda7f9996b641e
                                          • Instruction Fuzzy Hash: 29A13632A042549FCF18CF68C9557EE3BB1AB07328F544269E815AF791CB358836DB51
                                          Function 6C70C1E0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7002 6c70c1e0-6c70c239 call 6c736b70 7005 6c70c260-6c70c269 7002->7005 7006 6c70c2b0-6c70c2b5 7005->7006 7007 6c70c26b-6c70c270 7005->7007 7008 6c70c330-6c70c335 7006->7008 7009 6c70c2b7-6c70c2bc 7006->7009 7010 6c70c2f0-6c70c2f5 7007->7010 7011 6c70c272-6c70c277 7007->7011 7016 6c70c489-6c70c4b9 call 6c73b3a0 7008->7016 7017 6c70c33b-6c70c340 7008->7017 7012 6c70c2c2-6c70c2c7 7009->7012 7013 6c70c407-6c70c41b 7009->7013 7014 6c70c431-6c70c448 WriteFile 7010->7014 7015 6c70c2fb-6c70c300 7010->7015 7018 6c70c372-6c70c3df WriteFile 7011->7018 7019 6c70c27d-6c70c282 7011->7019 7021 6c70c23b-6c70c250 7012->7021 7022 6c70c2cd-6c70c2d2 7012->7022 7020 6c70c41f-6c70c42c 7013->7020 7023 6c70c452-6c70c47f call 6c73b920 ReadFile 7014->7023 7015->7023 7024 6c70c306-6c70c30b 7015->7024 7016->7005 7026 6c70c346-6c70c36d 7017->7026 7027 6c70c4be-6c70c4c3 7017->7027 7029 6c70c3e9-6c70c3fd WriteFile 7018->7029 7028 6c70c288-6c70c28d 7019->7028 7019->7029 7020->7005 7033 6c70c253-6c70c258 7021->7033 7022->7005 7030 6c70c2d4-6c70c2e7 7022->7030 7023->7016 7024->7005 7032 6c70c311-6c70c32b 7024->7032 7026->7033 7027->7005 7035 6c70c4c9-6c70c4d7 7027->7035 7028->7005 7036 6c70c28f-6c70c2aa 7028->7036 7029->7013 7030->7033 7032->7020 7033->7005 7036->7033
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: :uW$;uW$;uW$> 4!$> 4!
                                          • API String ID: 0-4100612575
                                          • Opcode ID: 6bd925b31bbcfeb6569e9a6f9ac7f805fcfb46548252f5089773f375abce7c9f
                                          • Instruction ID: ad00ef8b329d85c56d13e7ac646304ab198acb502f2541ab0b552ff0f43ed748
                                          • Opcode Fuzzy Hash: 6bd925b31bbcfeb6569e9a6f9ac7f805fcfb46548252f5089773f375abce7c9f
                                          • Instruction Fuzzy Hash: 68717CB0209345AFD720DF54C580B9ABBF4FF8A709F10892EF598D6A51D371D8489BA3
                                          Function 6C70B730 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: K?Jo$K?Jo$`Rlx$7eO
                                          • API String ID: 0-174837320
                                          • Opcode ID: b847c224f8b7c0c3707f8da4c0b3455831bceddf47e70117aeca5cd86b9efbc8
                                          • Instruction ID: 6e23b7ea54ef5c30ff6f5e602e1783e1a8d83c1ec8ac0a754230f5c9dcd5dec2
                                          • Opcode Fuzzy Hash: b847c224f8b7c0c3707f8da4c0b3455831bceddf47e70117aeca5cd86b9efbc8
                                          • Instruction Fuzzy Hash: 884287B4609342CFC754CF28C180A1ABBE1AFD9315F249D2EE5A58BB21D734EA45CB53
                                          Function 6C5B4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ;T55
                                          • API String ID: 0-2572755013
                                          • Opcode ID: f1168a62efd2ec29dbcc793a5fc680009a103b7df5eaaa79bd39af274c1a7775
                                          • Instruction ID: 6abc57a9901dc217d4ee9b6a073f0620f46e8b4d22b1a58340fdba4e3fb2bc84
                                          • Opcode Fuzzy Hash: f1168a62efd2ec29dbcc793a5fc680009a103b7df5eaaa79bd39af274c1a7775
                                          • Instruction Fuzzy Hash: 5D03E131745B018FC728CF28CCD0696B7E3AFD53287598B2DC0AA4BA95DB74B44ACB51
                                          Function 6C734FF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7579 6c734ff0-6c735077 CreateProcessA 7580 6c7350ca-6c7350d3 7579->7580 7581 6c7350f0-6c73510b 7580->7581 7582 6c7350d5-6c7350da 7580->7582 7581->7580 7583 6c735080-6c7350c2 WaitForSingleObject CloseHandle * 2 7582->7583 7584 6c7350dc-6c7350e1 7582->7584 7583->7580 7584->7580 7585 6c7350e3-6c735118 7584->7585
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: D
                                          • API String ID: 963392458-2746444292
                                          • Opcode ID: 55d2d03fa806f49b0498beb314fac98308aff4c03b1863247a7578d0884379d5
                                          • Instruction ID: b79f43c6e4a6b581f4c960a8022dcab58a07ae1d63865d039d4f4b1b7456c24b
                                          • Opcode Fuzzy Hash: 55d2d03fa806f49b0498beb314fac98308aff4c03b1863247a7578d0884379d5
                                          • Instruction Fuzzy Hash: F431D3708093408FD750DF29D29872ABBF0AB9A318F506E2DF8D996251E7799588CB43
                                          Function 6C74BC5E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7587 6c74bc5e-6c74bc7a 7588 6c74bc80-6c74bc82 7587->7588 7589 6c74be39 7587->7589 7590 6c74bca4-6c74bcc5 7588->7590 7591 6c74bc84-6c74bc97 call 6c73f9df call 6c73f9cc call 6c740120 7588->7591 7592 6c74be3b-6c74be3f 7589->7592 7594 6c74bcc7-6c74bcca 7590->7594 7595 6c74bccc-6c74bcd2 7590->7595 7609 6c74bc9c-6c74bc9f 7591->7609 7594->7595 7597 6c74bcd4-6c74bcd9 7594->7597 7595->7591 7595->7597 7599 6c74bcea-6c74bcfb call 6c74be40 7597->7599 7600 6c74bcdb-6c74bce7 call 6c74ac69 7597->7600 7607 6c74bd3c-6c74bd4e 7599->7607 7608 6c74bcfd-6c74bcff 7599->7608 7600->7599 7612 6c74bd95-6c74bdb7 WriteFile 7607->7612 7613 6c74bd50-6c74bd59 7607->7613 7610 6c74bd26-6c74bd32 call 6c74beb1 7608->7610 7611 6c74bd01-6c74bd09 7608->7611 7609->7592 7623 6c74bd37-6c74bd3a 7610->7623 7614 6c74bd0f-6c74bd1c call 6c74c25b 7611->7614 7615 6c74bdcb-6c74bdce 7611->7615 7617 6c74bdc2 7612->7617 7618 6c74bdb9-6c74bdbf GetLastError 7612->7618 7619 6c74bd85-6c74bd93 call 6c74c2c3 7613->7619 7620 6c74bd5b-6c74bd5e 7613->7620 7631 6c74bd1f-6c74bd21 7614->7631 7625 6c74bdd1-6c74bdd6 7615->7625 7624 6c74bdc5-6c74bdca 7617->7624 7618->7617 7619->7623 7626 6c74bd75-6c74bd83 call 6c74c487 7620->7626 7627 6c74bd60-6c74bd63 7620->7627 7623->7631 7624->7615 7632 6c74be34-6c74be37 7625->7632 7633 6c74bdd8-6c74bddd 7625->7633 7626->7623 7627->7625 7634 6c74bd65-6c74bd73 call 6c74c39e 7627->7634 7631->7624 7632->7592 7636 6c74bddf-6c74bde4 7633->7636 7637 6c74be09-6c74be15 7633->7637 7634->7623 7641 6c74bde6-6c74bdf8 call 6c73f9cc call 6c73f9df 7636->7641 7642 6c74bdfd-6c74be04 call 6c73f9f2 7636->7642 7639 6c74be17-6c74be1a 7637->7639 7640 6c74be1c-6c74be2f call 6c73f9cc call 6c73f9df 7637->7640 7639->7589 7639->7640 7640->7609 7641->7609 7642->7609
                                          APIs
                                            • Part of subcall function 6C74BEB1: GetConsoleCP.KERNEL32(?,6C74B0D0,?), ref: 6C74BEF9
                                          • WriteFile.KERNEL32(?,?,6C7546EC,00000000,00000000,?,00000000,00000000,6C755AB6,00000000,00000000,?,00000000,6C74B0D0,6C7546EC,00000000), ref: 6C74BDAF
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C7546EC,6C74B0D0,00000000,?,?,?,?,00000000,?), ref: 6C74BDB9
                                          • __dosmaperr.LIBCMT ref: 6C74BDFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                          • String ID: 8Q
                                          • API String ID: 251514795-4022487301
                                          • Opcode ID: c66acda4ccf3d22032fd83f59b0fadac3413733d21ce6529b061f30091944826
                                          • Instruction ID: c8a2f25efb7e29b609724e7ca0c4ee11286b5de152b364122f70234d86f43a2e
                                          • Opcode Fuzzy Hash: c66acda4ccf3d22032fd83f59b0fadac3413733d21ce6529b061f30091944826
                                          • Instruction Fuzzy Hash: 8F510C71900A19AFDB00CFA8CA89FEE7B79EF4635CF1454A1D500A7A41D770AD05CBA1
                                          Function 6C735B90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7654 6c735b90-6c735b9c 7655 6c735b9e-6c735ba9 7654->7655 7656 6c735bdd 7654->7656 7657 6c735bab-6c735bbd 7655->7657 7658 6c735bbf-6c735bcc call 6c6001f0 call 6c740b18 7655->7658 7659 6c735bdf-6c735c57 7656->7659 7657->7658 7667 6c735bd1-6c735bdb 7658->7667 7661 6c735c83-6c735c89 7659->7661 7662 6c735c59-6c735c81 7659->7662 7662->7661 7664 6c735c8a-6c735d49 call 6c602250 call 6c602340 call 6c739379 call 6c5fe010 call 6c737088 7662->7664 7667->7659
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C735D31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 323602529-1866435925
                                          • Opcode ID: 60054e409249817a966af14294a6350cb975e945ff81bf45b048b46dcfc32ecb
                                          • Instruction ID: 5ff84d94c50c0c2d68c5f2b50c658503b24d3438c5af470a8bc39d0ee5eead2a
                                          • Opcode Fuzzy Hash: 60054e409249817a966af14294a6350cb975e945ff81bf45b048b46dcfc32ecb
                                          • Instruction Fuzzy Hash: 285124B5500B008FD725CF25CA85B96BBF1FB89318F508A2DD88A4BB91D775A909CF90
                                          Function 6C74B925 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7699 6c74b925-6c74b939 call 6c7515a2 7702 6c74b93f-6c74b947 7699->7702 7703 6c74b93b-6c74b93d 7699->7703 7705 6c74b952-6c74b955 7702->7705 7706 6c74b949-6c74b950 7702->7706 7704 6c74b98d-6c74b9ad call 6c75171f 7703->7704 7716 6c74b9af-6c74b9b9 call 6c73f9f2 7704->7716 7717 6c74b9bb 7704->7717 7707 6c74b957-6c74b95b 7705->7707 7708 6c74b973-6c74b983 call 6c7515a2 CloseHandle 7705->7708 7706->7705 7710 6c74b95d-6c74b971 call 6c7515a2 * 2 7706->7710 7707->7708 7707->7710 7708->7703 7720 6c74b985-6c74b98b GetLastError 7708->7720 7710->7703 7710->7708 7718 6c74b9bd-6c74b9c0 7716->7718 7717->7718 7720->7704
                                          APIs
                                          • CloseHandle.KERNEL32(00000000,?,00000000,?,6C75425F), ref: 6C74B97B
                                          • GetLastError.KERNEL32(?,00000000,?,6C75425F), ref: 6C74B985
                                          • __dosmaperr.LIBCMT ref: 6C74B9B0
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: CloseErrorHandleLast__dosmaperr
                                          • String ID:
                                          • API String ID: 2583163307-0
                                          • Opcode ID: 38a87f51f9f4603b4944b70abbd7e2ad4430b23bc8a2cfe0afdc2f3ae396d209
                                          • Instruction ID: 2d6103c4b29a5ff3fd51b6bd518594e39550d926225125f31794e51004cae8ab
                                          • Opcode Fuzzy Hash: 38a87f51f9f4603b4944b70abbd7e2ad4430b23bc8a2cfe0afdc2f3ae396d209
                                          • Instruction Fuzzy Hash: BA018233649A20DBC6100A3A964D7AD3F654F8373DF698379E8158BAC0CF70EC898190
                                          Function 6C740B9C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 7944 6c740b9c-6c740ba7 7945 6c740bbe-6c740bcb 7944->7945 7946 6c740ba9-6c740bbc call 6c73f9cc call 6c740120 7944->7946 7948 6c740c06-6c740c0f call 6c74ae75 7945->7948 7949 6c740bcd-6c740be2 call 6c740cb9 call 6c74873e call 6c749c60 call 6c74b898 7945->7949 7957 6c740c10-6c740c12 7946->7957 7948->7957 7963 6c740be7-6c740bec 7949->7963 7964 6c740bf3-6c740bf7 7963->7964 7965 6c740bee-6c740bf1 7963->7965 7964->7948 7966 6c740bf9-6c740c05 call 6c7447bb 7964->7966 7965->7948 7966->7948
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 8Q
                                          • API String ID: 0-4022487301
                                          • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                          • Instruction ID: e85c06ae8a0b53a53dccd4ac022fac4f5a9284f21d38d90451c97fb814042560
                                          • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                          • Instruction Fuzzy Hash: 3BF0F932501654DAC6211E798F0CBDB36A89F6237CF108715E87497ED0DB70D40ACAE5
                                          Function 6C735960 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C735AB4
                                          • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C735AF4
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: Ios_base_dtorstd::ios_base::_
                                          • String ID:
                                          • API String ID: 323602529-0
                                          • Opcode ID: 7e766548c3cee144102686d43f973cbaf1caacdcd0ee877486648203c5995533
                                          • Instruction ID: b698f44f01d0731c235da06a083ab9553e580b37713cc2ac94bb448ea0e90047
                                          • Opcode Fuzzy Hash: 7e766548c3cee144102686d43f973cbaf1caacdcd0ee877486648203c5995533
                                          • Instruction Fuzzy Hash: 75512771101B00DBE725CF25C988BD6BBF4BB04718F448A1DD4AE4BB92DB34B949CB80
                                          Function 6C73EF3F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(6C766DD8,0000000C), ref: 6C73EF52
                                          • ExitThread.KERNEL32 ref: 6C73EF59
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ErrorExitLastThread
                                          • String ID:
                                          • API String ID: 1611280651-0
                                          • Opcode ID: 2138157ef7fe9580d829e46698e89fbfee621295b94939114ed0e07de77cee5c
                                          • Instruction ID: 2612c144433110fcc38a9667778709822f459ec8ae80f30abc113792c7c8fde5
                                          • Opcode Fuzzy Hash: 2138157ef7fe9580d829e46698e89fbfee621295b94939114ed0e07de77cee5c
                                          • Instruction Fuzzy Hash: 26F0C2B1A00614AFDF049FB1CA0EAAE3B74FF41318F148659E009A7B82CB755A05DBA1
                                          Function 6C74AF72 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: __wsopen_s
                                          • String ID:
                                          • API String ID: 3347428461-0
                                          • Opcode ID: 7c1aa4df06cd66494aff1b9401bba222ab241d4b4d0ed02379628ce218836aa2
                                          • Instruction ID: 4da925891082a317179a670b3b7b9e7839c5fa796287953887cf0c62063f3d57
                                          • Opcode Fuzzy Hash: 7c1aa4df06cd66494aff1b9401bba222ab241d4b4d0ed02379628ce218836aa2
                                          • Instruction Fuzzy Hash: 9A116A71A0420EAFCB05CF58E94599F3BF8EF89318F004469F808AB351D631ED21CBA4
                                          Function 6C753FFE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                          • Instruction ID: d0468310f5339f1e67b223c402348a3c19362d59642006dee4bfa5a67ff274e6
                                          • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                          • Instruction Fuzzy Hash: A6014472D01159BFCF029FA88E059EE7FB5AF08314F144165ED28E2650E7318635EB91
                                          Function 6C754457 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,00000000,?,6C754115,?,?,00000000,?,6C754115,00000000,0000000C), ref: 6C754474
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 4747b17953e0dee6749bba30b09afcf02487e7f4b8a9b568428d0855dc90bb64
                                          • Instruction ID: 5a0c1ed85aa94c0cabd7af0468624e9c0d67e7a03860649cdad3b97033810d45
                                          • Opcode Fuzzy Hash: 4747b17953e0dee6749bba30b09afcf02487e7f4b8a9b568428d0855dc90bb64
                                          • Instruction Fuzzy Hash: 50D06C3210020DBBDF028F85DC06EDA3BAAFB88754F014010BA1856020C732E861AB94
                                          Function 6C607F40 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                          • Instruction ID: a54ed3de375d69c77233b133898600092c96c800a07cc3d76a2f59feb100ce24
                                          • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                          • Instruction Fuzzy Hash:

                                          Non-executed Functions

                                          Function 6C731880 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: g)''
                                          • API String ID: 4218353326-3487984327
                                          • Opcode ID: c6fee45b56c3557895c701ad8af4b0f978e3afce2b9e4947b95168389a96ec02
                                          • Instruction ID: 2356f6de970cb661bd88a4935dd078342001917b4c9d9e406b56b1f5558d9c7a
                                          • Opcode Fuzzy Hash: c6fee45b56c3557895c701ad8af4b0f978e3afce2b9e4947b95168389a96ec02
                                          • Instruction Fuzzy Hash: 73631271644B118FC728CF28C9D0A95B7F3BFD53187198A6DC0EA4BA56EB74B44ACB40
                                          Function 6C735D60 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 6C735D6A
                                          • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C735D76
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C735D84
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C735DAB
                                          • NtInitiatePowerAction.NTDLL ref: 6C735DBF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                          • String ID: SeShutdownPrivilege
                                          • API String ID: 3256374457-3733053543
                                          • Opcode ID: af4a175af4da3eb6b278cd1fdf82ca1b60e480255069a876560b78b986f7dca6
                                          • Instruction ID: 43fe51c363e80154d619b1d4498433cc7b55ec9f46161d63c47546ce1eabb1b6
                                          • Opcode Fuzzy Hash: af4a175af4da3eb6b278cd1fdf82ca1b60e480255069a876560b78b986f7dca6
                                          • Instruction Fuzzy Hash: FAF0BB706453007BEA206F54DD0EB5A7FB4EFC5705F015928F949960C1E7715984C7D2
                                          Function 6C5B1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \j`7$\j`7$j
                                          • API String ID: 0-3644614255
                                          • Opcode ID: 3a952f69ff29d4544c62e01545b3c6504eb3201a20741180bbd3f1733d3939e5
                                          • Instruction ID: 56e5b53aaf6406142a8d31b499417172118cb3ef1d51f9c74105808ee20c7878
                                          • Opcode Fuzzy Hash: 3a952f69ff29d4544c62e01545b3c6504eb3201a20741180bbd3f1733d3939e5
                                          • Instruction Fuzzy Hash: BA4244756093828FCB54CF68C8A066ABBE1BBC9354F144E2EE499E7760D334D849CB53
                                          Function 6C796CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C796CE5
                                            • Part of subcall function 6C76CC2A: __EH_prolog.LIBCMT ref: 6C76CC2F
                                            • Part of subcall function 6C76E6A6: __EH_prolog.LIBCMT ref: 6C76E6AB
                                            • Part of subcall function 6C796A0E: __EH_prolog.LIBCMT ref: 6C796A13
                                            • Part of subcall function 6C796837: __EH_prolog.LIBCMT ref: 6C79683C
                                            • Part of subcall function 6C79A143: __EH_prolog.LIBCMT ref: 6C79A148
                                            • Part of subcall function 6C79A143: ctype.LIBCPMT ref: 6C79A16C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog$ctype
                                          • String ID:
                                          • API String ID: 1039218491-3916222277
                                          • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                          • Instruction ID: 63e62bdf9b2b1f34d9da31b2f0b7a1358a5046b57c1f8b37c4cdd207aa856fd6
                                          • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                          • Instruction Fuzzy Hash: BD03CF30805258DFDF15CFA5DA88BDCBBB0AF25318F2480AAD84567B91DB345B8DCB61
                                          Function 6C740181 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6C740279
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6C740283
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6C740290
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 3a7d24f93cb10b6fc1a72ae2e9aa181584b7bf3af7d52a0ee5073b2443c351d9
                                          • Instruction ID: 6073a672a2c84c2869da3e4e54b52d6fa7d77833416e6de4e2b38f2da9a96c4a
                                          • Opcode Fuzzy Hash: 3a7d24f93cb10b6fc1a72ae2e9aa181584b7bf3af7d52a0ee5073b2443c351d9
                                          • Instruction Fuzzy Hash: 2631C47590122CDBCB21DF69D988BDDBBB4BF08314F5091EAE41DA7290EB709B858F44
                                          Function 6C73F17D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,6C73F235,?,?,?,?), ref: 6C73F19F
                                          • TerminateProcess.KERNEL32(00000000,?,6C73F235,?,?,?,?), ref: 6C73F1A6
                                          • ExitProcess.KERNEL32 ref: 6C73F1B8
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: d3d9116a8794f4f56e17d220b64fd78861ec66e921a0bad683bf367ca8e0a642
                                          • Instruction ID: 73641a81968ffce8fed3f3420d036f1d7f232b49ae064569114159dc1f589754
                                          • Opcode Fuzzy Hash: d3d9116a8794f4f56e17d220b64fd78861ec66e921a0bad683bf367ca8e0a642
                                          • Instruction Fuzzy Hash: 6EE04632101208AFCF02AF5ADA1CAA93B38FB4639AF004424F908C6622CB35D981DA40
                                          Function 6C768EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: x=J
                                          • API String ID: 3519838083-1497497802
                                          • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                          • Instruction ID: d66023fac8b4a3871e52d9e602f73093d02ebc7360db6683616ecedc43fd7036
                                          • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                          • Instruction Fuzzy Hash: 81910431D01109DECF04DFA6CA98AEDB775FF26348F20806ADC5167E51DB32598ACB50
                                          Function 6C736A43 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C7378B0
                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C7380D3
                                            • Part of subcall function 6C739379: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C7380BC,00000000,?,?,?,6C7380BC,?,6C76554C), ref: 6C7393D9
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                          • String ID:
                                          • API String ID: 915016180-0
                                          • Opcode ID: 015a1b723b706d3948a5149ae3bc4fa7a833b2bb40c0bb9070e1367f9d9bbb8e
                                          • Instruction ID: 857f23a510408b0e844babe93f73614dc912b1a3d173ba3bc2866aeb2380686c
                                          • Opcode Fuzzy Hash: 015a1b723b706d3948a5149ae3bc4fa7a833b2bb40c0bb9070e1367f9d9bbb8e
                                          • Instruction Fuzzy Hash: DAB1E072A01214ABCB25CF95C98169EBBB4FB45318F24AA3FD419EB781D3349945CF90
                                          Function 6C768972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @4J$DsL
                                          • API String ID: 0-2004129199
                                          • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                          • Instruction ID: 85f8b3fb162eadaeb2a2b3c5613005daf086380838330baf459a017f3113cb8d
                                          • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                          • Instruction Fuzzy Hash: 9C218F377A49564BD74CCA28DC33AB92681E744305F88527EE94BCB7E1DE6C8800C648
                                          Function 6C78540A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C78540F
                                            • Part of subcall function 6C786137: __EH_prolog.LIBCMT ref: 6C78613C
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                          • Instruction ID: 77b1d988eee46def5f0b7c20627443a5c38b6b0112bf6729c9d655f73a6e76fc
                                          • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                          • Instruction Fuzzy Hash: 5C628A30902219CFEF55CFA4D698BDDBBB1BF04308F14417AEA16AB681D7749A44CF91
                                          Function 6C7DDAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: YA1
                                          • API String ID: 0-613462611
                                          • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                          • Instruction ID: f81ebc9bfd91d5aa4f818f2a4504d4b5587c402fcadb8545475295df4af29b24
                                          • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                          • Instruction Fuzzy Hash: E642E5706483818FC315CF28C59069AFBE2FFE9308F16496DE4D98B742D671E906CB96
                                          Function 6C770BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: __aullrem
                                          • String ID:
                                          • API String ID: 3758378126-0
                                          • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                          • Instruction ID: 8e5a1899e2055cc222bb3bb71231533e4305d82536d127d6b1156ea527d71618
                                          • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                          • Instruction Fuzzy Hash: 1A51E8B1A043859BD710CF5AC4C12EEFBE6EF79214F18C05EE8C897242D27A5D9AC760
                                          Function 6C7E9E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                          • Instruction ID: 356f59ccd84c94eb29130e1266fc33653a63c24fb86230c4eacbd92e06afdd82
                                          • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                          • Instruction Fuzzy Hash: 6B02DC326083408BD725CF28C69079EBBF2EFC8368F144A2DE4D597B52D7709849CB82
                                          Function 6C76C7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: (SL
                                          • API String ID: 0-669240678
                                          • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                          • Instruction ID: 4ce495165580b155180c5b091b07e73c13b6ef6554ea9c1a5814f924bcc20488
                                          • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                          • Instruction Fuzzy Hash: 9B518473E208214AD79CCE24DC2177572D2E784310F8AC1B99D4BAB6E6C978589087D4
                                          Function 6C7E0020 Relevance: .8, Instructions: 762COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                          • Instruction ID: a77851cca38addc663aaf824a97e99b4d7c80f72cc80e2f5b2b62845c38fbb86
                                          • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                          • Instruction Fuzzy Hash: 11525032204B858BD728CF29C69466ABBE2BF99308F148A2DD4DAC7B41DB74F445DB41
                                          Function 6C7FA930 Relevance: .7, Instructions: 740COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                          • Instruction ID: 2ee545c6d68b7402760851422e5b720d807299651f9eecb9f3dbb0cdc0aa1a3b
                                          • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                          • Instruction Fuzzy Hash: A362E3B5A083458FC714CF19C6C051ABBF5BFC8754F248A2EE8A987715D770E846CB92
                                          Function 6C7E3D50 Relevance: .5, Instructions: 547COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                          • Instruction ID: 2b8905046de51ee9e8afe22b12fcdab97036b5832e40e0300ad1699a9b2139af
                                          • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                          • Instruction Fuzzy Hash: 5612CC722093418FC718CF68C69466AFBE2BFC8344F54893DE9968BB52D731E845CB81
                                          Function 6C7F4AA0 Relevance: .5, Instructions: 474COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                          • Instruction ID: c5411cd3066fac8a9bad383c5c9be27b2c6449ded7a7ebef205c9175755f32e4
                                          • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                          • Instruction Fuzzy Hash: 78023B32A483118BD318CE2CC6D0219BBF2FBC4355F194B2EE4A697B56D7709846DB92
                                          Function 6C7DFA50 Relevance: .5, Instructions: 453COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                          • Instruction ID: 2df5520e67ba115745f9abd5bc51999c71485cb8c9f6e389fdf7474f9464cfb0
                                          • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                          • Instruction Fuzzy Hash: 6EF102326042898BEB24CF28D9607EEB7E2FBC5304F594539D889CBB41DB35A54AC791
                                          Function 6C7EF5C0 Relevance: .3, Instructions: 333COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                          • Instruction ID: a2e249c95fcc4804802a8d94206d083f17357dc0042dcfa7a57bb8b1b6e37cfe
                                          • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                          • Instruction Fuzzy Hash: 27D143725047068FD318CF1DE594236BBE1FF8A304F054ABDDAA28BB8AD7349605CB40
                                          Function 6C7E2580 Relevance: .3, Instructions: 316COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                          • Instruction ID: c3c13abb0ff7c35a6d3b3c60ba9af0b12ff3bccf43ffa6d1c23d4aaab9710d35
                                          • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                          • Instruction Fuzzy Hash: 8BC1B4362047428BC719CF3AD1A4696BBE2EFDD314F148A6DC4CA4BB56DA30A80DCB55
                                          Function 6C7DE810 Relevance: .3, Instructions: 296COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                          • Instruction ID: 8410e742a74f094001a73b5d36dd83e577ebfbd736d09efb3e1decff85038ee2
                                          • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                          • Instruction Fuzzy Hash: 18B1AF31305B094BD325DF39CA98BEAB7E1BF84308F05452DC5AA87781EF31B9098B95
                                          Function 6C7E1AA0 Relevance: .3, Instructions: 291COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                          • Instruction ID: 19006a430ec51d7943c69aabbfc2d9bca209a9a9c329f05f2a057827456a298d
                                          • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                          • Instruction Fuzzy Hash: 5EB18B766047028BC304DF29C9806ABF7E2FFC8304F14896DE499C7716E771A95ACB95
                                          Function 6C7E99F0 Relevance: .3, Instructions: 287COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                          • Instruction ID: 2f01d53f7267632f75039163ee56b735ed3c77a08938d6eb9f4e6ec647cb71d7
                                          • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                          • Instruction Fuzzy Hash: 2AA1C47360C3418FC315DF29C59069ABBE1AFE9308F544A3DE4DA87B51D631E94ACB42
                                          Function 6C7E96E0 Relevance: .2, Instructions: 223COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                          • Instruction ID: 1a53a7c79b6c1ceb813ad457f73fcb19cc7fb7d74a8a8392a8a145a09e79797c
                                          • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                          • Instruction Fuzzy Hash: 6781B536A047058FC320CF2AC180286B7E1FFAD714F28C96DC5999B715E772E94ACB41
                                          Function 6C780B66 Relevance: .2, Instructions: 167COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                          • Instruction ID: 196465437bcf9a1b41dd37c0bc2b2cef6add30d4429930664f00f63de06a95e3
                                          • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                          • Instruction Fuzzy Hash: 41516072F026099FDB08CEA8DE926EDBBF1EB88304F248179D515E7782D7749A41CB50
                                          Function 6C782EC9 Relevance: .1, Instructions: 136COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                          • Instruction ID: bffc5625ce2c3626fd9a898c679c218deb2552c15cebf6d59930a126381edb4e
                                          • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                          • Instruction Fuzzy Hash: 843114277A540113C70CCD3BCD1A79F91975BD422A70ECF396D05DEF55D52CC8128154
                                          Function 6C809700 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                          • Instruction ID: 045af33e964cb92fe4a335cf72298ad50bddf24a82752f437c5853933d3b716c
                                          • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                          • Instruction Fuzzy Hash: 90219077320A0647E74C8A38D93737532D0A705318F98A62DEA6BCE2C2D77AC457C385
                                          Function 6C749D66 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4efaf8b96cc4fac2facaa0816fb4510f46d0d07e54909dae8bda015cfd304cc7
                                          • Instruction ID: 73abf3e2a3c94f1d5a459c46a7eff564e4698d3194190439939d099c18f8e36a
                                          • Opcode Fuzzy Hash: 4efaf8b96cc4fac2facaa0816fb4510f46d0d07e54909dae8bda015cfd304cc7
                                          • Instruction Fuzzy Hash: 2AF06572A15334DBCB22DB8CC60AB8973BCEB45B65F1154A6E509DB640C7B0EE40CBD0
                                          Function 6C749D35 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                          • Instruction ID: c865f6ea8179446ce5ded79449ff28cc251e41bbc3fabfdd3ad468e448c39e53
                                          • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                          • Instruction Fuzzy Hash: FBE08C72A12238FBCB15EB88CA09D8AB3ECEB48B15B1180A6B511D3610D270DE00CBD0
                                          Function 6C807700 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                          • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                                          • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                                          • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                                          Function 6C79EB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                          • API String ID: 3519838083-609671
                                          • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                          • Instruction ID: 4a01ec2fb9f28c5e11f0276e546d0da4c45409d81f1996568c937a13f288a068
                                          • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                          • Instruction Fuzzy Hash: B1D1A471A0420DDFDF11CFA4EA94BEEB7B6FF05308F14452AE456A3A50DB719948CBA0
                                          Function 6C786798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: __aulldiv$H_prolog
                                          • String ID: >WJ$x$x
                                          • API String ID: 2300968129-3162267903
                                          • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                          • Instruction ID: 7c44f930ff5b09dab771c903a358ecb88c0925bdaa51b235f35808fb067dd88c
                                          • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                          • Instruction Fuzzy Hash: 82128A71911209EFCF10CFA5CA88ADDBBB5FF08318F208579EA19AB650DB359A45CF50
                                          Function 6C739AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 6C739B07
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6C739B0F
                                          • _ValidateLocalCookies.LIBCMT ref: 6C739B98
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6C739BC3
                                          • _ValidateLocalCookies.LIBCMT ref: 6C739C18
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 8cf3a7c10b0167fa3eaee719cb8063e804b4666d0197e1ce0773a1ef6dddc2ad
                                          • Instruction ID: eae7c4a0608555e7cfc55df74371283b467659d6ceb27ad1cac1f267175195b5
                                          • Opcode Fuzzy Hash: 8cf3a7c10b0167fa3eaee719cb8063e804b4666d0197e1ce0773a1ef6dddc2ad
                                          • Instruction Fuzzy Hash: EE41D230A10228AFCF10DF68C988ADE7BB5BF55318F249165E81C9BB52DF35DA05CB91
                                          Function 6C746E9A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: api-ms-$ext-ms-
                                          • API String ID: 0-537541572
                                          • Opcode ID: cddb29242874833aad28b860335a34fe1141e71c7765c0433ab106ccffcca6e0
                                          • Instruction ID: addd5398c0e807d2eb5eae2cff1a816f571a29ebac6f9ff01e2b5d997449ba0a
                                          • Opcode Fuzzy Hash: cddb29242874833aad28b860335a34fe1141e71c7765c0433ab106ccffcca6e0
                                          • Instruction Fuzzy Hash: 4F21EB32A56321BBDB118B69CE44E5A37A8AB07768F164671F995E7A80D730DF00C6E0
                                          Function 6C74BEB1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleCP.KERNEL32(?,6C74B0D0,?), ref: 6C74BEF9
                                          • __fassign.LIBCMT ref: 6C74C0D8
                                          • __fassign.LIBCMT ref: 6C74C0F5
                                          • WriteFile.KERNEL32(?,6C755AB6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C74C13D
                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C74C17D
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C74C229
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: FileWrite__fassign$ConsoleErrorLast
                                          • String ID:
                                          • API String ID: 4031098158-0
                                          • Opcode ID: 9d67cbbca655850842ad85e30514ad46779711365b08b22f07582c4607f0137c
                                          • Instruction ID: d0b131bc9194b7ba85ea443b8c7d05e5dbded05c12e1592d4cac3f15f9744127
                                          • Opcode Fuzzy Hash: 9d67cbbca655850842ad85e30514ad46779711365b08b22f07582c4607f0137c
                                          • Instruction Fuzzy Hash: 8AD19D71E012589FCF15CFE8CA809EDBBB5BF49315F24816AE855BB242D731A90ACF50
                                          Function 6C602F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C602F95
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C602FAF
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C602FD0
                                          • __Getctype.LIBCPMT ref: 6C603084
                                          • std::_Facet_Register.LIBCPMT ref: 6C60309C
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C6030B7
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                          • String ID:
                                          • API String ID: 1102183713-0
                                          • Opcode ID: 31606b82539d54fbbbd5388b9d28b6ff887243255ee605749761b64c3f10b9a9
                                          • Instruction ID: aed2382d99bd24aac38623ae41729fbd81ab40987855c2cb09aa2699de235f0c
                                          • Opcode Fuzzy Hash: 31606b82539d54fbbbd5388b9d28b6ff887243255ee605749761b64c3f10b9a9
                                          • Instruction Fuzzy Hash: AC416971E042188FCB24CF85CA58B9EBBB4FF85718F054528D859BB781D735AA08CBD4
                                          Function 6C774FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: __aulldiv$__aullrem
                                          • String ID:
                                          • API String ID: 2022606265-0
                                          • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                          • Instruction ID: 84491d9140efb18c927819d2ace359f53d38942dbde353ddecc1ffd2edd8de34
                                          • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                          • Instruction Fuzzy Hash: 37218F30A0121DBFDF708FA89E44DDF7A69EF427A8F208636B52561690D6718D60C6F1
                                          Function 6C77A6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C77A6F1
                                            • Part of subcall function 6C789173: __EH_prolog.LIBCMT ref: 6C789178
                                          • __EH_prolog.LIBCMT ref: 6C77A8F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: IJ$WIJ$J
                                          • API String ID: 3519838083-740443243
                                          • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                          • Instruction ID: 7c76d0b2036de484d180a24dcc9890068048e24509c6850349c35e5b8787aaf5
                                          • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                          • Instruction Fuzzy Hash: D771B130900259DFDF24CFA5C648BEDB7B4BF14318F1084A9D8556BB91CB74AA49CBA1
                                          Function 6C6028E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                                          Download Yara Rule
                                          APIs
                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 6C602A76
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ___std_exception_destroy
                                          • String ID: U#`l$q!`l$Jbx$Jbx
                                          • API String ID: 4194217158-588870370
                                          • Opcode ID: d7074366d4979bf14fab2e12fed362e0f6ffff5aadf612fb8350b54c21b0bb1e
                                          • Instruction ID: ad52c4cd50da274462f58e06936ca2e6bb5f52cf3b9fb9425c71885a8592a7f5
                                          • Opcode Fuzzy Hash: d7074366d4979bf14fab2e12fed362e0f6ffff5aadf612fb8350b54c21b0bb1e
                                          • Instruction Fuzzy Hash: AB5158B1E002048FCB18CF59C9896DEBBB5FF89318F10846DE849AB741E735D985CB91
                                          Function 6C755A0D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 6C755ADD
                                          • _free.LIBCMT ref: 6C755B06
                                          • SetEndOfFile.KERNEL32(00000000,6C7546EC,00000000,6C74B0D0,?,?,?,?,?,?,?,6C7546EC,6C74B0D0,00000000), ref: 6C755B38
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C7546EC,6C74B0D0,00000000,?,?,?,?,00000000,?), ref: 6C755B54
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFileLast
                                          • String ID: 8Q
                                          • API String ID: 1547350101-4022487301
                                          • Opcode ID: c9c365b427b06e4f3ce787b656e0bf1a7bfd4ae9351a1218619d0d293b83c946
                                          • Instruction ID: 19f7a5c447c632210775bcc91a7c8a341c8465cd3a39e37fbe8d3dfc516747f6
                                          • Opcode Fuzzy Hash: c9c365b427b06e4f3ce787b656e0bf1a7bfd4ae9351a1218619d0d293b83c946
                                          • Instruction Fuzzy Hash: 4441F336900205ABDB419FB8EE8CBCE3F75BF45368F640161E424E7A90EF30C8258760
                                          Function 6C78E418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C78E41D
                                            • Part of subcall function 6C78EE40: __EH_prolog.LIBCMT ref: 6C78EE45
                                            • Part of subcall function 6C78E8EB: __EH_prolog.LIBCMT ref: 6C78E8F0
                                            • Part of subcall function 6C78E593: __EH_prolog.LIBCMT ref: 6C78E598
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: &qB$0aJ$A0$XqB
                                          • API String ID: 3519838083-1326096578
                                          • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                          • Instruction ID: 6e08136810a254b385909b09d0bc6270e68e0a24f45143016d9901635447a62b
                                          • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                          • Instruction Fuzzy Hash: CC218B71D01258AECB04DBE5DA8C9EDBBB4AF25318F204069E81677B81DB781E0CCB61
                                          Function 6C78E234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: J$0J$DJ$`J
                                          • API String ID: 3519838083-2453737217
                                          • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                          • Instruction ID: a65738055553feddbc3ec87dedbe5a4b1bfc5522693bb7c4d4e68f6daa698e4b
                                          • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                          • Instruction Fuzzy Hash: 961106B0901B64CEC720CF5AC55819AFBE4FFA5708B00C91FC4A687B10C7F8A548CB85
                                          Function 6C73F12A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C73F1B4,?,?,6C73F235,?,?,?), ref: 6C73F13F
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C73F152
                                          • FreeLibrary.KERNEL32(00000000,?,?,6C73F1B4,?,?,6C73F235,?,?,?), ref: 6C73F175
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: a49df9ece100174e5d493f985b678888fe2c32af7e1a4b82403c64d570d42fa5
                                          • Instruction ID: 19f564167b3ea719120fa08bc4b4bc187bc1933a8f5cf60eb0224eda50a47d42
                                          • Opcode Fuzzy Hash: a49df9ece100174e5d493f985b678888fe2c32af7e1a4b82403c64d570d42fa5
                                          • Instruction Fuzzy Hash: E0F08231601218FBDF02DB92DA19FAE7E78EB0539AF100070E809A2650CB308E00EA90
                                          Function 6C737327 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog3.LIBCMT ref: 6C73732E
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6C737339
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6C7373A7
                                            • Part of subcall function 6C737230: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C737248
                                          • std::locale::_Setgloballocale.LIBCPMT ref: 6C737354
                                          • _Yarn.LIBCPMT ref: 6C73736A
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                          • String ID:
                                          • API String ID: 1088826258-0
                                          • Opcode ID: f9b018f5ecb77c03fa53de2c8eb65f85dbe20edf35cf10ccf7380105a14e6d70
                                          • Instruction ID: 11600d66eacf2b44b76cd064034c5ada72a152848f325c4799036838197bbcd3
                                          • Opcode Fuzzy Hash: f9b018f5ecb77c03fa53de2c8eb65f85dbe20edf35cf10ccf7380105a14e6d70
                                          • Instruction Fuzzy Hash: 07019E75600120DBDB15DB60C75C5BC3B71FFC6248B142419D80A97781CF35AA4ACBC1
                                          Function 6C7B6E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $!$@
                                          • API String ID: 3519838083-2517134481
                                          • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                          • Instruction ID: 0cdc7fd039cc86345721c0f927d548de8daf2c9e2eb9fcd1de575020916bac44
                                          • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                          • Instruction Fuzzy Hash: AC128074E05249DFCF04CFA4CA94ADDBBB1BF04308F14846AE945BBB51DB31AA95CB60
                                          Function 6C782B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog__aulldiv
                                          • String ID: $SJ
                                          • API String ID: 4125985754-3948962906
                                          • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                          • Instruction ID: 393676a51218ea906636641fd8dfcd6b4e2dd2680f43afff1689131f96435157
                                          • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                          • Instruction Fuzzy Hash: 55B15E71D022099FCB14CF59CA889AEBBF5FF48315F20853EE515A7B50D730AA45CB64
                                          Function 6C602020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 6C737327: __EH_prolog3.LIBCMT ref: 6C73732E
                                            • Part of subcall function 6C737327: std::_Lockit::_Lockit.LIBCPMT ref: 6C737339
                                            • Part of subcall function 6C737327: std::locale::_Setgloballocale.LIBCPMT ref: 6C737354
                                            • Part of subcall function 6C737327: _Yarn.LIBCPMT ref: 6C73736A
                                            • Part of subcall function 6C737327: std::_Lockit::~_Lockit.LIBCPMT ref: 6C7373A7
                                            • Part of subcall function 6C602F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C602F95
                                            • Part of subcall function 6C602F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C602FAF
                                            • Part of subcall function 6C602F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C602FD0
                                            • Part of subcall function 6C602F60: __Getctype.LIBCPMT ref: 6C603084
                                            • Part of subcall function 6C602F60: std::_Facet_Register.LIBCPMT ref: 6C60309C
                                            • Part of subcall function 6C602F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C6030B7
                                          • std::ios_base::_Addstd.LIBCPMT ref: 6C60211B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                          • API String ID: 3332196525-1866435925
                                          • Opcode ID: ba38dbcae3f3515b43c163544b41b2d281059a77e05e38b01190a3085459c2b1
                                          • Instruction ID: 523c960824951a3e6dba35aa44efb2a29fe2bd0f299b1efec94a052a37f55a77
                                          • Opcode Fuzzy Hash: ba38dbcae3f3515b43c163544b41b2d281059a77e05e38b01190a3085459c2b1
                                          • Instruction Fuzzy Hash: 0D41D1B0A003098FDB04CF64C9497AEBBB1FF48318F148268E919AB791E7759985CF94
                                          Function 6C7861D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $CK$CK
                                          • API String ID: 3519838083-2957773085
                                          • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                          • Instruction ID: f98ca761eb7382a111259cf539d2eb14b49d0f5fe454d778d789ae6304c53c20
                                          • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                          • Instruction Fuzzy Hash: E521B270E522059BCB14DFE9CA841EEF7B2FB84304F14867AC612E3B91C7744B068A61
                                          Function 6C79D584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: 0$LrJ$x
                                          • API String ID: 3519838083-658305261
                                          • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                          • Instruction ID: 50b2068f0aefbab6fbf15fe423e25e2f7c6abbdc0c2b3f8856837836ceaa7d84
                                          • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                          • Instruction Fuzzy Hash: 76218132D011199BCF04DBE8DB98AEDB7B5EF6830CF20006AD81177A40DB755E08CBA5
                                          Function 6C794EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C794ECC
                                            • Part of subcall function 6C77F58A: __EH_prolog.LIBCMT ref: 6C77F58F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: :hJ$dJ$xJ
                                          • API String ID: 3519838083-2437443688
                                          • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                          • Instruction ID: 4522881b7c197163f069f4dca838fbe9758cc0799c53253d3a026a2b074a7520
                                          • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                          • Instruction Fuzzy Hash: 1521DCB0801B50CFC760CF6AC14828ABBF4BF69714B10C96EC4AA97F11D7B8A548CF55
                                          Function 6C74AD90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C74B0D0,6C601DEA,00008000,6C74B0D0,?,?,?,6C74AC7F,6C74B0D0,?,00000000,6C601DEA), ref: 6C74ADC9
                                          • GetLastError.KERNEL32(?,?,?,6C74AC7F,6C74B0D0,?,00000000,6C601DEA,?,6C75469E,6C74B0D0,000000FF,000000FF,00000002,00008000,6C74B0D0), ref: 6C74ADD3
                                          • __dosmaperr.LIBCMT ref: 6C74ADDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastPointer__dosmaperr
                                          • String ID: 8Q
                                          • API String ID: 2336955059-4022487301
                                          • Opcode ID: 71fe0e7d4bd7cf7bfbc6e97e39000f81d8350f9b113c9d42fc8ae8f08ed70970
                                          • Instruction ID: 04648ad2e3c802b6113bb60bee368140dbfa03f197dc18e6ad85edf5a653a9c2
                                          • Opcode Fuzzy Hash: 71fe0e7d4bd7cf7bfbc6e97e39000f81d8350f9b113c9d42fc8ae8f08ed70970
                                          • Instruction Fuzzy Hash: 2901DD337146257FCF058F6ACD098EE3B39EB86335B244264E411DB684EB71D9418B90
                                          Function 6C78BD0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: <J$DJ$HJ$TJ$]
                                          • API String ID: 0-686860805
                                          • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                          • Instruction ID: 3f13bd69a9da6b5d94084c49efeb86c96b6d5e51127bdd30e0d48d4da7224e8a
                                          • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                          • Instruction Fuzzy Hash: 4341B730C06299AFCF14CBA1DA988EEB774AF15308F20C179D62167E51EB35B64DCB21
                                          Function 6C786331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID:
                                          • API String ID: 3732870572-0
                                          • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                          • Instruction ID: 2ae45d6eb7cbe41fccddecb424f2e9e56f5286db34fdd1114eba50b693ea20f8
                                          • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                          • Instruction Fuzzy Hash: CE119076201304BFEB214AA5CD48EAF7BBDEB85744F10893DF24196A90D6B1AC04D720
                                          Function 6C7449B2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,6C73EF64,6C766DD8,0000000C), ref: 6C7449B7
                                          • _free.LIBCMT ref: 6C744A14
                                          • _free.LIBCMT ref: 6C744A4A
                                          • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6C73EF64,6C766DD8,0000000C), ref: 6C744A55
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ErrorLast_free
                                          • String ID:
                                          • API String ID: 2283115069-0
                                          • Opcode ID: c710d8522ad99839dd19a0bd9f166e9ef17b89388331ec66e425aaee5a006c9a
                                          • Instruction ID: af137dd815014f7dd0f2549b4ea238d9f7f02f575548618defaeb040c7752ec5
                                          • Opcode Fuzzy Hash: c710d8522ad99839dd19a0bd9f166e9ef17b89388331ec66e425aaee5a006c9a
                                          • Instruction Fuzzy Hash: 021194723047006BDB115EB58E8CD6A2569ABC277C7358634F52896BC0EF318C05B154
                                          Function 6C755EBA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • WriteConsoleW.KERNEL32(00000000,?,6C7546EC,00000000,00000000,?,6C754B51,00000000,00000001,00000000,6C74B0D0,?,6C74C286,?,?,6C74B0D0), ref: 6C755ED1
                                          • GetLastError.KERNEL32(?,6C754B51,00000000,00000001,00000000,6C74B0D0,?,6C74C286,?,?,6C74B0D0,?,6C74B0D0,?,6C74BD1C,6C755AB6), ref: 6C755EDD
                                            • Part of subcall function 6C755F2E: CloseHandle.KERNEL32(FFFFFFFE,6C755EED,?,6C754B51,00000000,00000001,00000000,6C74B0D0,?,6C74C286,?,?,6C74B0D0,?,6C74B0D0), ref: 6C755F3E
                                          • ___initconout.LIBCMT ref: 6C755EED
                                            • Part of subcall function 6C755F0F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C755EAB,6C754B3E,6C74B0D0,?,6C74C286,?,?,6C74B0D0,?), ref: 6C755F22
                                          • WriteConsoleW.KERNEL32(00000000,?,6C7546EC,00000000,?,6C754B51,00000000,00000001,00000000,6C74B0D0,?,6C74C286,?,?,6C74B0D0,?), ref: 6C755F02
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                          • String ID:
                                          • API String ID: 2744216297-0
                                          • Opcode ID: 62ab8d0b90b2af275d2dc40aed6a5da1e89525e44df5cd62da5ad2cbd539cc3c
                                          • Instruction ID: 85ae26dafa2566fc2e0fec1198b17d928bbf341f5bf60e27c02e6472c0db35c6
                                          • Opcode Fuzzy Hash: 62ab8d0b90b2af275d2dc40aed6a5da1e89525e44df5cd62da5ad2cbd539cc3c
                                          • Instruction Fuzzy Hash: 19F0A236501215BBCF625FE6DC089993F36FB067A5B444520FA1995660CB33C920EB90
                                          Function 6C76E072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C76E077
                                            • Part of subcall function 6C76DFF5: __EH_prolog.LIBCMT ref: 6C76DFFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: :$\
                                          • API String ID: 3519838083-1166558509
                                          • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                          • Instruction ID: aef7ba16493a980ea7d6d1e091256a43f7de43b182a07ac1feaec0fc4e462e0d
                                          • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                          • Instruction Fuzzy Hash: C1E1E23090020D9ECB10CFA7CE98BEDB7B1AF15318F208129DC5567E91EB75A54DCBA1
                                          Function 6C7BA354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog__aullrem
                                          • String ID: d%K
                                          • API String ID: 3415659256-3110269457
                                          • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                          • Instruction ID: 220623c03104f2ec77362bb44cb0c03cb19bd5b9aaa9d9e343b5440c0f45ec03
                                          • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                          • Instruction Fuzzy Hash: DD81C271A002099FDF10DF58CB88BDEB7F5AF44368F248069E858BBA41D771DA45CBA0
                                          Function 6C743124 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog3_
                                          • String ID: 8Q
                                          • API String ID: 2427045233-4022487301
                                          • Opcode ID: 79457eda8e2395da3a02c8971338107f6858ff70c58ec642be3ce81661f69ea8
                                          • Instruction ID: 55e45829ef1cd8b8350d2b3362d96fbcca88a101b39cd7ae0dbea4bd22c5bb91
                                          • Opcode Fuzzy Hash: 79457eda8e2395da3a02c8971338107f6858ff70c58ec642be3ce81661f69ea8
                                          • Instruction Fuzzy Hash: 4271D871D01256DFEB108F96CA84BFEBBB6AF05358F14C235E828A7A41DF758845CB60
                                          Function 6C793C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$hfJ
                                          • API String ID: 3519838083-1391159562
                                          • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                          • Instruction ID: 95fbd06def0066e8b783afb84a73bd8e1942d3d5196a8d5760dede8e491f68c4
                                          • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                          • Instruction Fuzzy Hash: 11914D70910258DFCB20DF99D9989DEFBF4FF18308F54452EE559A7A90D770A948CB20
                                          Function 6C788C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C788C5D
                                            • Part of subcall function 6C78761A: __EH_prolog.LIBCMT ref: 6C78761F
                                            • Part of subcall function 6C787A2E: __EH_prolog.LIBCMT ref: 6C787A33
                                            • Part of subcall function 6C788EA5: __EH_prolog.LIBCMT ref: 6C788EAA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: WZJ
                                          • API String ID: 3519838083-1089469559
                                          • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                          • Instruction ID: 535b5e36f5ef3ad61cf1b5b7d8bbde097992df15e5f1eb10ca95dc08e20b7289
                                          • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                          • Instruction Fuzzy Hash: 9181A331D01259DFCF15DFA4DA98ADDB7B4AF18314F1040AAE51277B90DB306E49CB61
                                          Function 6C78FF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: <dJ$Q
                                          • API String ID: 3519838083-2252229148
                                          • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                          • Instruction ID: 370f7710af6df3d1092213d86cf07d7ad59313441d2ce56d96e4c59735d79f31
                                          • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                          • Instruction Fuzzy Hash: 2351B171950299EFCF10DFE9DA848EDBBB1FF49318F10852EE521ABA50D7319A49CB10
                                          Function 6C78B9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $D^J
                                          • API String ID: 3519838083-3977321784
                                          • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                          • Instruction ID: 04bdb0532b02678804575c69dfa7b94a69fddf5ae156ce7ac6feeb6b926238ae
                                          • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                          • Instruction Fuzzy Hash: 0D416020A075906ED7228F39CE58BE9BFA26F16308F148179C6D107F85DB68798FC395
                                          Function 6C74CEFE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C7546D6), ref: 6C74D01B
                                          • __dosmaperr.LIBCMT ref: 6C74D022
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr
                                          • String ID: 8Q
                                          • API String ID: 1659562826-4022487301
                                          • Opcode ID: 922d3e8145590870f15ef7280fd792587d722eb8df8001b0e5860380dccd4722
                                          • Instruction ID: 0fea18bfbf073177111bbee52631e1efb318e21d5b000c3d175999c3c7910c76
                                          • Opcode Fuzzy Hash: 922d3e8145590870f15ef7280fd792587d722eb8df8001b0e5860380dccd4722
                                          • Instruction Fuzzy Hash: C341AA72704294AFD721DF6CCA80AA97FE5EF47319F18C269E8848B642D3759C1AC790
                                          Function 6C6026E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: _strlen
                                          • String ID: U#`l$q!`l
                                          • API String ID: 4218353326-2718028504
                                          • Opcode ID: 8a7119c43417aa647feb9b91369675df0fc07d46b75c40e782554daa5bea71e5
                                          • Instruction ID: 738f5a55de7fbba3d931b8e72cc5e448cc1782b3e5f1cd61ce3c768ac5d1dc4b
                                          • Opcode Fuzzy Hash: 8a7119c43417aa647feb9b91369675df0fc07d46b75c40e782554daa5bea71e5
                                          • Instruction Fuzzy Hash: AC41C6B2D002189BDB04DFA4DD88BDEBBB9FF58354F140125E808B7741E7319A58CBA5
                                          Function 6C7A512C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: X&L$p|J
                                          • API String ID: 3519838083-2944591232
                                          • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                          • Instruction ID: 59efd6f0dd21a8f260f3340c161001a3c4bdecb098c4c25ce51f40242045a44e
                                          • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                          • Instruction Fuzzy Hash: 0F313A72695905CBD7909BD8FF09BBA7775FB11768F108336D910A6EE0CB60898BCB40
                                          Function 6C7A4C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: 0|J$`)L
                                          • API String ID: 3519838083-117937767
                                          • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                          • Instruction ID: 8223150124333ee44d6b09e918b832927539ca40fa9659a3823b7fdbee5237c3
                                          • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                          • Instruction Fuzzy Hash: 75419131601745EFCB118FA5C698BEEBBE2FF45308F00452EE55A97B50CB326905DB92
                                          Function 6C7A7CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: __aulldiv
                                          • String ID: 3333
                                          • API String ID: 3732870572-2924271548
                                          • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                          • Instruction ID: c8958d382d39dd2a4ee1cd17a69a56210955e1a320ac6c179a61c23900276df3
                                          • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                          • Instruction Fuzzy Hash: 6C21A3B0A007046FD7308FB98D81B6BBAFDEB84714F108E2EE186D7B40D770A9448B65
                                          Function 6C7A0906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$LuJ
                                          • API String ID: 3519838083-205571748
                                          • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                          • Instruction ID: 6cbd3217aaff3f83ebd1d01d8b4d0d16c2fcad23251db57cdd7dabdf268ad5e7
                                          • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                          • Instruction Fuzzy Hash: BD01C4B1E01349DADB10DFD985805AEFBB4FF59304F40893EE42AE3A40C3345905CB59
                                          Function 6C77C0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: @$xMJ
                                          • API String ID: 3519838083-951924499
                                          • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                          • Instruction ID: 07aa15bba9713135cfb15d2a44dc29ff675d358be5d2637791b603a150ce68c1
                                          • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                          • Instruction Fuzzy Hash: 06115AB1A00209DBCF20DF99C59459EB7B4FF1C348B50C82ED469E7600D3389A45CBA5
                                          Function 6C74DD28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 6C74DD49
                                          • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C74A63A,?,00000004,?,4B42FCB6,?,?,6C73F78C,4B42FCB6,?), ref: 6C74DD85
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1824047318.000000006C5B1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C5B0000, based on PE: true
                                          • Associated: 00000005.00000002.1824026627.000000006C5B0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825194746.000000006C758000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1826571677.000000006C923000.00000002.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: AllocHeap_free
                                          • String ID: 8Q
                                          • API String ID: 1080816511-4022487301
                                          • Opcode ID: 997ca6d82767b34a328c41654fe8527760b943eaa150f0d4fe6789ec4a10a1ff
                                          • Instruction ID: 86627abe48abc0ea7344f4c7ff02a3920fda32083ec47606063c9a8fdeb0d502
                                          • Opcode Fuzzy Hash: 997ca6d82767b34a328c41654fe8527760b943eaa150f0d4fe6789ec4a10a1ff
                                          • Instruction Fuzzy Hash: A5F0C831241615A6DB211E66DE4DB9A37A88F936B8B11C137E8949BE90DB20C401D9E8
                                          Function 6C79F741 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 6C79F746
                                            • Part of subcall function 6C79F7BF: __EH_prolog.LIBCMT ref: 6C79F7C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: uBzl$sJ
                                          • API String ID: 3519838083-1581056248
                                          • Opcode ID: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                          • Instruction ID: 012e460b4be543f35115397eebd40e9aadc226b5bb3af10ac3a24c779e84cf5e
                                          • Opcode Fuzzy Hash: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                          • Instruction Fuzzy Hash: 9501D631A00014AFCF11ABAADA48AED7F75EF95718F00842AE80192F90CF744949CF91
                                          Function 6C7A3431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prologctype
                                          • String ID: |zJ
                                          • API String ID: 3037903784-3782439380
                                          • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                          • Instruction ID: 9d07e6fedbeb942d24f12c00b2e958246e8a19111562deabf0811b6b6d70908a
                                          • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                          • Instruction Fuzzy Hash: 40E065726055109FEB15CF89D9047ADF3A4FF54B14F10412F9422A7A41CBB1E8458681
                                          Function 6C79A143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID: H_prologctype
                                          • String ID: <oJ
                                          • API String ID: 3037903784-2791053824
                                          • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                          • Instruction ID: 39fbefcffa559d66295f131246d69e670bcd2c456999763113230ad967f50674
                                          • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                          • Instruction Fuzzy Hash: B4E0ED32B421109FDB049F0CEA24BDEF7B4EF54B64F11002EE011A7B41CBB1A8008680
                                          Function 6C7CF4AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @ K$DJ$T)K$X/K
                                          • API String ID: 0-3815299647
                                          • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                          • Instruction ID: 9786faf5f2b16639f196f14a53c0b729395adc41625092d9b2d076c6354d2305
                                          • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                          • Instruction Fuzzy Hash: 3691A1307043069FCF00DFB5C6587EAB3A2AF5130CF54882AC8665BF85DB75A959CB52
                                          Function 6C7C4E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.1825257068.000000006C768000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C768000, based on PE: true
                                          • Associated: 00000005.00000002.1825786120.000000006C833000.00000004.00000001.01000000.00000009.sdmpDownload File
                                          • Associated: 00000005.00000002.1825891445.000000006C839000.00000020.00000001.01000000.00000009.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_6c5b0000_cVyexkZjrG.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: D)K$H)K$P)K$T)K
                                          • API String ID: 0-2262112463
                                          • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                          • Instruction ID: c1e63b1fbe39fd916f1abcc5573aecdc8a8f7a002cd6d13ebc2412fa39367429
                                          • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                          • Instruction Fuzzy Hash: B051A131A0420A9FCF01CFA5DA48AEEB7B5AF2531CF14842AEC1167F80DB75994DD752

                                          Execution Graph

                                          Execution Coverage:4%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0.4%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:53
                                          execution_graph 73122 53f190 73125 4c1e0c 73122->73125 73124 53f1b0 73126 4c1e1c malloc 73125->73126 73127 4c1e15 73125->73127 73128 4c1e3e 73126->73128 73129 4c1e2a _CxxThrowException 73126->73129 73127->73126 73128->73124 73129->73128 73131 5469d0 73132 5469d4 73131->73132 73133 5469d7 malloc 73131->73133 73134 4ed948 73164 4edac7 73134->73164 73136 4ed94f 73172 4c2e04 73136->73172 73139 4c2e04 2 API calls 73140 4ed987 73139->73140 73142 4ed9e7 73140->73142 73175 4c6404 73140->73175 73145 4eda0f 73142->73145 73162 4eda36 73142->73162 73200 4c1e40 free 73145->73200 73147 4eda94 73213 4c1e40 free 73147->73213 73149 4ed9bf 73198 4c1e40 free 73149->73198 73150 4eda17 73201 4c1e40 free 73150->73201 73155 4ed9c7 73199 4c1e40 free 73155->73199 73156 4eda9c 73214 4c1e40 free 73156->73214 73159 4ed9cf 73162->73147 73202 4c2da9 73162->73202 73205 5004d2 73162->73205 73211 4c1524 malloc _CxxThrowException __EH_prolog ctype 73162->73211 73212 4c1e40 free 73162->73212 73165 4edad1 __EH_prolog 73164->73165 73166 4c2e04 2 API calls 73165->73166 73167 4edb33 73166->73167 73168 4c2e04 2 API calls 73167->73168 73169 4edb3f 73168->73169 73170 4c2e04 2 API calls 73169->73170 73171 4edb55 73170->73171 73171->73136 73173 4c1e0c ctype 2 API calls 73172->73173 73174 4c2e11 73173->73174 73174->73139 73215 4c631f 73175->73215 73178 4c6423 73219 4c2f88 73178->73219 73179 4c2f88 3 API calls 73179->73178 73181 4c643d 73182 4d7e5a 73181->73182 73183 4d7e64 __EH_prolog 73182->73183 73292 4d8179 73183->73292 73188 4c2fec 3 API calls 73189 4d7e9a 73188->73189 73190 4c2da9 2 API calls 73189->73190 73191 4d7ea7 73190->73191 73301 4c6c72 73191->73301 73195 4d7ecb 73196 4d7ed8 73195->73196 73400 4c757d GetLastError 73195->73400 73196->73142 73196->73149 73198->73155 73199->73159 73200->73150 73201->73159 73588 4c2d4d 73202->73588 73206 500513 73205->73206 73207 5004df 73205->73207 73206->73162 73208 5004e8 _CxxThrowException 73207->73208 73209 5004fd 73207->73209 73208->73209 73591 500551 malloc _CxxThrowException free memcpy ctype 73209->73591 73211->73162 73212->73162 73213->73156 73214->73159 73216 4c9245 73215->73216 73225 4c90da 73216->73225 73220 4c2f9a 73219->73220 73221 4c1e0c ctype 2 API calls 73220->73221 73222 4c2fbe 73220->73222 73223 4c2fb4 73221->73223 73222->73181 73222->73222 73291 4c1e40 free 73223->73291 73226 4c90e4 __EH_prolog 73225->73226 73227 4c2f88 3 API calls 73226->73227 73229 4c90f7 73227->73229 73228 4c915d 73230 4c2e04 2 API calls 73228->73230 73229->73228 73233 4c9109 73229->73233 73231 4c9165 73230->73231 73232 4c91be 73231->73232 73235 4c9174 73231->73235 73275 4c6332 6 API calls 2 library calls 73232->73275 73234 4c6414 73233->73234 73266 4c2e47 73233->73266 73234->73178 73234->73179 73239 4c2f88 3 API calls 73235->73239 73237 4c917d 73263 4c91ca 73237->73263 73273 4c859e malloc _CxxThrowException free _CxxThrowException 73237->73273 73239->73237 73243 4c912e 73246 4c914d 73243->73246 73271 4c31e5 malloc _CxxThrowException free _CxxThrowException 73243->73271 73245 4c9185 73249 4c2e04 2 API calls 73245->73249 73272 4c1e40 free 73246->73272 73250 4c9197 73249->73250 73251 4c91ce 73250->73251 73252 4c919f 73250->73252 73253 4c2f88 3 API calls 73251->73253 73254 4c91b9 73252->73254 73274 4c1089 malloc _CxxThrowException free _CxxThrowException 73252->73274 73253->73254 73276 4c3199 malloc _CxxThrowException free _CxxThrowException 73254->73276 73257 4c91e6 73277 4c8f57 memmove 73257->73277 73259 4c91ee 73260 4c91f2 73259->73260 73278 4c2fec 73259->73278 73285 4c1e40 free 73260->73285 73286 4c1e40 free 73263->73286 73267 4c2e57 73266->73267 73287 4c2ba6 73267->73287 73270 4c8f57 memmove 73270->73243 73271->73246 73272->73234 73273->73245 73274->73254 73275->73237 73276->73257 73277->73259 73279 4c2ffc 73278->73279 73280 4c2ff8 73278->73280 73279->73280 73281 4c1e0c ctype 2 API calls 73279->73281 73284 4c31e5 malloc _CxxThrowException free _CxxThrowException 73280->73284 73282 4c3010 73281->73282 73290 4c1e40 free 73282->73290 73284->73260 73285->73263 73286->73234 73288 4c1e0c ctype 2 API calls 73287->73288 73289 4c2bbb 73288->73289 73289->73270 73290->73280 73291->73222 73296 4d8906 73292->73296 73293 4d7e77 73297 4e7ebb 73293->73297 73296->73293 73401 4d8804 free ctype 73296->73401 73402 4c1e40 free 73296->73402 73298 4e7ec6 73297->73298 73300 4d7e7f 73297->73300 73299 4c1e40 free ctype 73298->73299 73298->73300 73299->73298 73300->73188 73303 4c6c7c __EH_prolog 73301->73303 73302 4c6cd3 73305 4c6ce2 73302->73305 73308 4c6d87 73302->73308 73303->73302 73304 4c6cb7 73303->73304 73306 4c2f88 3 API calls 73304->73306 73307 4c2f88 3 API calls 73305->73307 73309 4c6cc7 73306->73309 73313 4c6cf5 73307->73313 73310 4c2e47 2 API calls 73308->73310 73315 4c6f4a 73308->73315 73399 4c1e40 free 73309->73399 73311 4c6db0 73310->73311 73314 4c2e47 2 API calls 73311->73314 73312 4c6d4a 73420 4c7b41 28 API calls 73312->73420 73313->73312 73316 4c6d0b 73313->73316 73323 4c6dc0 73314->73323 73319 4c6fd1 73315->73319 73321 4c6f7e 73315->73321 73419 4c9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73316->73419 73318 4c6d5f 73421 4c764c 73318->73421 73325 4c6fed 73319->73325 73343 4c701d 73319->73343 73397 4c6ff2 73319->73397 73441 4c6bf5 73321->73441 73322 4c6d36 73322->73312 73327 4c6d3a 73322->73327 73334 4c6dfe 73323->73334 73424 4c3221 malloc _CxxThrowException free _CxxThrowException 73323->73424 73330 4c6bf5 11 API calls 73325->73330 73327->73309 73330->73397 73332 4c6fca 73338 4c6848 FindClose 73332->73338 73333 4c6f99 73341 4c2f88 3 API calls 73333->73341 73335 4c6e43 73334->73335 73346 4c6e1e 73334->73346 73337 4c6c72 42 API calls 73335->73337 73340 4c6e4e 73337->73340 73338->73309 73344 4c6f3a 73340->73344 73345 4c6e41 73340->73345 73342 4c6fb0 73341->73342 73455 4c717b 13 API calls 73342->73455 73343->73397 73456 4c717b 13 API calls 73343->73456 73439 4c1e40 free 73344->73439 73425 4c2f1c 73345->73425 73346->73345 73349 4c2fec 3 API calls 73346->73349 73349->73345 73351 4c7052 73354 4c7064 73351->73354 73355 4c7056 73351->73355 73353 4c6f42 73440 4c1e40 free 73353->73440 73360 4c2e47 2 API calls 73354->73360 73358 4c2f88 3 API calls 73355->73358 73395 4c705f 73358->73395 73359 4c2e04 2 API calls 73382 4c6e83 73359->73382 73361 4c706d 73360->73361 73457 4c1089 malloc _CxxThrowException free _CxxThrowException 73361->73457 73364 4c707b 73458 4c1089 malloc _CxxThrowException free _CxxThrowException 73364->73458 73365 4c6848 FindClose 73365->73309 73367 4c6ecf 73432 4c1e40 free 73367->73432 73368 4c6ec7 SetLastError 73368->73367 73369 4c7085 73372 4c6868 12 API calls 73369->73372 73374 4c7095 73372->73374 73373 4c6f11 73433 4c1e40 free 73373->73433 73377 4c70bb 73374->73377 73378 4c7099 wcscmp 73374->73378 73375 4c6ed3 73431 4c31e5 malloc _CxxThrowException free _CxxThrowException 73375->73431 73381 4c6bf5 11 API calls 73377->73381 73378->73377 73398 4c70b1 73378->73398 73380 4c6f19 73434 4c6848 73380->73434 73384 4c70c6 73381->73384 73382->73367 73382->73368 73382->73375 73387 4c2e04 2 API calls 73382->73387 73428 4c6bb5 17 API calls 73382->73428 73429 4c22bf CharUpperW 73382->73429 73430 4c1e40 free 73382->73430 73391 4c70d8 73384->73391 73384->73398 73386 4c2f88 3 API calls 73389 4c714c 73386->73389 73387->73382 73461 4c1e40 free 73389->73461 73459 4c1e40 free 73391->73459 73393 4c6f2b 73438 4c1e40 free 73393->73438 73395->73365 73397->73332 73403 4c6868 73397->73403 73398->73386 73399->73195 73400->73196 73401->73296 73402->73296 73404 4c6872 __EH_prolog 73403->73404 73405 4c6848 FindClose 73404->73405 73406 4c6880 73405->73406 73407 4c68a9 73406->73407 73408 4c689b FindFirstFileW 73406->73408 73413 4c68f6 73406->73413 73409 4c68ee 73407->73409 73410 4c2e04 2 API calls 73407->73410 73408->73407 73409->73413 73468 4c6919 malloc _CxxThrowException free 73409->73468 73412 4c68ba 73410->73412 73462 4c8b4a 73412->73462 73413->73332 73460 4c717b 13 API calls 73413->73460 73415 4c68d0 73416 4c68d4 FindFirstFileW 73415->73416 73417 4c68e2 73415->73417 73416->73417 73467 4c1e40 free 73417->73467 73419->73322 73420->73318 73422 4c7656 CloseHandle 73421->73422 73423 4c7661 73421->73423 73422->73423 73423->73309 73424->73334 73426 4c2ba6 2 API calls 73425->73426 73427 4c2f2c 73426->73427 73427->73359 73428->73382 73429->73382 73430->73382 73431->73367 73432->73373 73433->73380 73435 4c685d 73434->73435 73436 4c6852 FindClose 73434->73436 73437 4c1e40 free 73435->73437 73436->73435 73437->73393 73438->73309 73439->73353 73440->73315 73442 4c6bff __EH_prolog 73441->73442 73443 4c6c19 GetFileAttributesW 73442->73443 73444 4c6c21 73442->73444 73443->73444 73454 4c6c5f 73443->73454 73445 4c2e04 2 API calls 73444->73445 73444->73454 73446 4c6c2d 73445->73446 73447 4c8b4a 9 API calls 73446->73447 73448 4c6c42 73447->73448 73449 4c6c49 GetFileAttributesW 73448->73449 73450 4c6c5a 73448->73450 73586 4c1e40 free 73449->73586 73587 4c1e40 free 73450->73587 73453 4c6c55 73453->73454 73454->73333 73454->73397 73455->73332 73456->73351 73457->73364 73458->73369 73459->73397 73460->73332 73461->73395 73469 4c8b80 73462->73469 73464 4c8b6e 73464->73415 73466 4c2f88 3 API calls 73466->73464 73467->73409 73468->73413 73471 4c8b8a __EH_prolog 73469->73471 73470 4c8b55 73470->73464 73470->73466 73471->73470 73472 4c8c7b 73471->73472 73478 4c8be1 73471->73478 73473 4c8d23 73472->73473 73475 4c8c8f 73472->73475 73474 4c8e8a 73473->73474 73477 4c8d3b 73473->73477 73476 4c2e47 2 API calls 73474->73476 73475->73477 73481 4c8c9e 73475->73481 73479 4c8e96 73476->73479 73480 4c2e04 2 API calls 73477->73480 73478->73470 73482 4c2e47 2 API calls 73478->73482 73487 4c2e47 2 API calls 73479->73487 73483 4c8d43 73480->73483 73484 4c2e47 2 API calls 73481->73484 73485 4c8c05 73482->73485 73566 4c6332 6 API calls 2 library calls 73483->73566 73497 4c8ca7 73484->73497 73492 4c8c24 73485->73492 73493 4c8c17 73485->73493 73489 4c8eb8 73487->73489 73488 4c8d52 73490 4c8d56 73488->73490 73567 4c859e malloc _CxxThrowException free _CxxThrowException 73488->73567 73578 4c8f57 memmove 73489->73578 73495 4c2e47 2 API calls 73492->73495 73556 4c1e40 free 73493->73556 73500 4c8c35 73495->73500 73501 4c2e47 2 API calls 73497->73501 73557 4c8f57 memmove 73500->73557 73507 4c8cd0 73501->73507 73561 4c8f57 memmove 73507->73561 73509 4c8c41 73556->73470 73557->73509 73566->73488 73586->73453 73587->73454 73589 4c2ba6 2 API calls 73588->73589 73590 4c2d68 73589->73590 73590->73162 73591->73206 73592 4cb144 73593 4cb153 73592->73593 73595 4cb159 73592->73595 73596 4d11b4 73593->73596 73597 4d11c1 73596->73597 73598 4d11eb 73597->73598 73601 50ae7c 73597->73601 73606 50af27 73597->73606 73598->73595 73602 50ae86 73601->73602 73613 4d7190 73602->73613 73626 4d7140 73602->73626 73603 50aebb 73603->73597 73607 50af36 73606->73607 73610 50b010 73607->73610 73611 50aeeb 107 API calls 73607->73611 73756 4cbd0c 73607->73756 73761 50ad3a 73607->73761 73765 50aebf 107 API calls 73607->73765 73610->73597 73611->73607 73614 4d719a __EH_prolog 73613->73614 73615 4d71b0 73614->73615 73618 4d71dd 73614->73618 73653 4d4d78 73615->73653 73630 4d6fc5 73618->73630 73619 4d72b4 73620 4d4d78 VariantClear 73619->73620 73621 4d72c0 73619->73621 73620->73621 73622 4d71b7 73621->73622 73623 4d7140 7 API calls 73621->73623 73622->73603 73623->73622 73624 4d7236 73624->73619 73624->73622 73625 4d72a3 SetFileSecurityW 73624->73625 73625->73619 73627 4d718d 73626->73627 73628 4d714b 73626->73628 73627->73603 73628->73627 73755 4d4dff 7 API calls 2 library calls 73628->73755 73631 4d6fcf __EH_prolog 73630->73631 73656 4d44a6 73631->73656 73638 4d7051 73640 4d706a 73638->73640 73643 4d11b4 107 API calls 73638->73643 73639 4d7029 73639->73640 73678 4d4dff 7 API calls 2 library calls 73639->73678 73659 4d68ac 73640->73659 73641 4d709e 73700 4c1e40 free 73641->73700 73643->73640 73644 4d710b 73644->73624 73647 4d70e2 73647->73641 73698 4d6b5e 69 API calls 2 library calls 73647->73698 73650 4d70fd 73650->73641 73651 4d7103 73650->73651 73699 4c1e40 free 73651->73699 73744 4e9262 73653->73744 73657 4c2e04 2 API calls 73656->73657 73658 4d44be 73657->73658 73658->73639 73658->73640 73677 4d6e71 12 API calls 2 library calls 73658->73677 73660 4d68b6 __EH_prolog 73659->73660 73662 4d6921 73660->73662 73675 4d68c5 73660->73675 73702 4c7d4b 73660->73702 73661 4d6962 73664 4d6998 73661->73664 73709 4c2dcd malloc _CxxThrowException 73661->73709 73662->73661 73662->73664 73708 4d6a17 6 API calls 2 library calls 73662->73708 73668 4d69e1 73664->73668 73701 4c7c3b SetFileTime 73664->73701 73712 4cbcf8 CloseHandle 73668->73712 73670 4d697a 73710 4d6b09 13 API calls __EH_prolog 73670->73710 73674 4d698c 73711 4c1e40 free 73674->73711 73675->73641 73679 4c6096 73675->73679 73677->73639 73678->73638 73680 4c60a0 __EH_prolog 73679->73680 73681 4c6bf5 11 API calls 73680->73681 73682 4c60ad 73681->73682 73683 4c60c6 73682->73683 73726 4c5a8c 73682->73726 73685 4c60de DeleteFileW 73683->73685 73686 4c60e9 73683->73686 73696 4c60e5 73683->73696 73685->73686 73685->73696 73687 4c2e04 2 API calls 73686->73687 73686->73696 73688 4c60f5 73687->73688 73689 4c8b4a 9 API calls 73688->73689 73690 4c610a 73689->73690 73691 4c6125 73690->73691 73692 4c6111 DeleteFileW 73690->73692 73741 4c1e40 free 73691->73741 73740 4c1e40 free 73692->73740 73695 4c611d 73695->73696 73696->73647 73697 4d4dff 7 API calls 2 library calls 73696->73697 73697->73647 73698->73650 73699->73644 73700->73644 73701->73668 73713 4c77c8 73702->73713 73704 4c7d76 73704->73662 73707 4d4dff 7 API calls 2 library calls 73704->73707 73707->73662 73708->73661 73709->73670 73710->73674 73711->73664 73712->73675 73717 4c7731 73713->73717 73715 4c77db 73715->73704 73716 4c7d3c SetEndOfFile 73715->73716 73716->73704 73718 4c775c SetFilePointer 73717->73718 73719 4c7740 73717->73719 73720 4c7780 GetLastError 73718->73720 73724 4c77a1 73718->73724 73719->73718 73721 4c778c 73720->73721 73720->73724 73725 4c76d6 SetFilePointer GetLastError 73721->73725 73723 4c7796 SetLastError 73723->73724 73724->73715 73725->73723 73727 4c5a96 __EH_prolog 73726->73727 73728 4c5ab3 SetFileAttributesW 73727->73728 73730 4c5ac1 73727->73730 73729 4c5abd 73728->73729 73728->73730 73729->73683 73730->73729 73731 4c2e04 2 API calls 73730->73731 73732 4c5acd 73731->73732 73733 4c8b4a 9 API calls 73732->73733 73734 4c5ae2 73733->73734 73735 4c5ae6 SetFileAttributesW 73734->73735 73736 4c5b00 73734->73736 73742 4c1e40 free 73735->73742 73743 4c1e40 free 73736->73743 73739 4c5af8 73739->73729 73740->73695 73741->73696 73742->73739 73743->73729 73745 4e926c __EH_prolog 73744->73745 73746 4e92fc 73745->73746 73749 4e92a4 73745->73749 73748 4c965d VariantClear 73746->73748 73750 4d4d91 73748->73750 73751 4c965d 73749->73751 73750->73622 73752 4c9685 73751->73752 73754 4c9665 73751->73754 73752->73750 73753 4c967e VariantClear 73753->73752 73754->73752 73754->73753 73755->73627 73766 4c7ca2 73756->73766 73759 4cbd3d 73759->73607 73762 50ad44 __EH_prolog 73761->73762 73774 4d6305 73762->73774 73763 50adbf 73763->73607 73765->73607 73768 4c7caf 73766->73768 73769 4c7cdb 73768->73769 73771 4c7c68 73768->73771 73769->73759 73770 4cb8ec GetLastError 73769->73770 73770->73759 73772 4c7c79 WriteFile 73771->73772 73773 4c7c76 73771->73773 73772->73768 73773->73772 73775 4d630f __EH_prolog 73774->73775 73811 4d62b9 73775->73811 73778 4d6427 73780 4c965d VariantClear 73778->73780 73779 4d644a 73781 4c965d VariantClear 73779->73781 73799 4d6445 73780->73799 73782 4d646b 73781->73782 73815 4d5126 73782->73815 73787 4d4d78 VariantClear 73788 4d6499 73787->73788 73791 4d64ca 73788->73791 73788->73799 73971 4d5110 9 API calls 73788->73971 73790 4d65de 73792 4d669e 73790->73792 73793 4d65e7 73790->73793 73794 4d64da 73791->73794 73791->73799 73972 4c42e3 CharUpperW 73791->73972 73792->73799 73801 4d66b8 73792->73801 73802 4d6754 73792->73802 73795 4c1e0c ctype 2 API calls 73793->73795 73798 4d65f6 73793->73798 73794->73790 73794->73799 73973 4d789c free memmove ctype 73794->73973 73795->73798 73974 4e36ea 73798->73974 73799->73763 73805 4c1e0c ctype 2 API calls 73801->73805 73861 4d5bea 73802->73861 73804 4d666b 73987 4c1e40 free 73804->73987 73805->73799 73806 4d665c 73986 4c31e5 malloc _CxxThrowException free _CxxThrowException 73806->73986 73812 4d62c9 73811->73812 73988 4e8fa4 73812->73988 73816 4d5130 __EH_prolog 73815->73816 73817 4d51b4 73816->73817 73823 4d518e 73816->73823 74032 4c3097 malloc _CxxThrowException free SysStringLen ctype 73816->74032 73820 4c965d VariantClear 73817->73820 73817->73823 73819 4c965d VariantClear 73821 4d527f 73819->73821 73822 4d51bc 73820->73822 73821->73799 73857 4e8b05 73821->73857 73822->73823 73824 4d5289 73822->73824 73825 4d5206 73822->73825 73823->73819 73824->73823 73827 4d5221 73824->73827 74033 4c3097 malloc _CxxThrowException free SysStringLen ctype 73825->74033 73828 4c965d VariantClear 73827->73828 73829 4d522d 73828->73829 73829->73821 73830 4d5351 73829->73830 74034 4d5459 malloc _CxxThrowException __EH_prolog 73829->74034 73830->73821 73837 4d53a1 73830->73837 74039 4c35e7 memmove 73830->74039 73832 4d52ba 74035 4c8011 5 API calls ctype 73832->74035 73835 4d52cf 73849 4d52fd 73835->73849 74036 4c823d 10 API calls 2 library calls 73835->74036 73837->73821 74040 4c43b7 5 API calls 2 library calls 73837->74040 73840 4d52e5 73841 4c2fec 3 API calls 73840->73841 73843 4d52f5 73841->73843 73842 4d540e 74042 4d789c free memmove ctype 73842->74042 74037 4c1e40 free 73843->74037 73847 4d541c 73850 4e36ea 5 API calls 73847->73850 73848 4d53df 73848->73842 73848->73847 74041 4c42e3 CharUpperW 73848->74041 74038 4d54a0 free ctype 73849->74038 73851 4d5427 73850->73851 73852 4c2fec 3 API calls 73851->73852 73853 4d5433 73852->73853 74043 4c1e40 free 73853->74043 73855 4d543b 74044 4f2db9 free ctype 73855->74044 73858 4e8b2e 73857->73858 73859 4c965d VariantClear 73858->73859 73860 4d648a 73859->73860 73860->73787 73860->73799 73862 4d5bf4 __EH_prolog 73861->73862 74045 4d54c0 73862->74045 73865 4d5e17 73865->73799 73866 4e8b05 VariantClear 73867 4d5c34 73866->73867 73867->73865 74060 4d5630 73867->74060 73870 4e36ea 5 API calls 73871 4d5c51 73870->73871 73872 4d5c60 73871->73872 74158 4d57c1 53 API calls 2 library calls 73871->74158 73874 4c2f1c 2 API calls 73872->73874 73875 4d5c6c 73874->73875 73878 4d5caa 73875->73878 74159 4d6217 4 API calls 2 library calls 73875->74159 73877 4d5c91 73879 4c2fec 3 API calls 73877->73879 73880 4d5d49 73878->73880 73885 4c2e04 2 API calls 73878->73885 73881 4d5c9e 73879->73881 73882 4d5d55 73880->73882 73883 4d5d91 73880->73883 74160 4c1e40 free 73881->74160 73886 4c2fec 3 API calls 73882->73886 73890 4d5da6 73883->73890 74081 4d58be 73883->74081 73887 4d5cd2 73885->73887 73889 4d5d66 73886->73889 74161 4c1e40 free 73887->74161 73892 4d5d73 73889->73892 74166 4c5b2d 73889->74166 73891 4c2fec 3 API calls 73890->73891 73936 4d5d8c 73890->73936 73893 4d5dd1 73891->73893 73892->73890 73895 4d5d7b 73892->73895 73899 4d5de7 73893->73899 73911 4d5e41 73893->73911 73893->73936 73900 4d7140 7 API calls 73895->73900 73895->73936 73898 4d5cf5 73898->73880 73907 4c2fec 3 API calls 73898->73907 74179 4d6b5e 69 API calls 2 library calls 73899->74179 73900->73936 73901 4d61fa 74200 4c1e40 free 73901->74200 73902 4d5eb0 73910 4d5d0c 73907->73910 74162 4c1089 malloc _CxxThrowException free _CxxThrowException 73910->74162 73911->73902 74182 4d4115 VariantClear _CxxThrowException __EH_prolog 73911->74182 74199 4c1e40 free 73936->74199 73971->73791 73972->73791 73973->73790 73975 4e36f4 __EH_prolog 73974->73975 73976 4c2e04 2 API calls 73975->73976 73982 4e370a 73976->73982 73977 4e3736 73978 4c2f1c 2 API calls 73977->73978 73981 4e3742 73978->73981 74260 4c1e40 free 73981->74260 73982->73977 74261 4c1089 malloc _CxxThrowException free _CxxThrowException 73982->74261 74262 4c31e5 malloc _CxxThrowException free _CxxThrowException 73982->74262 73984 4d6633 73984->73804 73984->73806 73985 4c1089 malloc _CxxThrowException free _CxxThrowException 73984->73985 73985->73806 73986->73804 73987->73799 73989 4e8fae __EH_prolog 73988->73989 73990 4e7ebb free 73989->73990 73991 4e8ff2 73990->73991 74022 4e8b64 73991->74022 73994 4d6302 73994->73778 73994->73779 73994->73799 73996 4e9020 73996->73994 73997 4c2fec 3 API calls 73996->73997 73998 4e903a 73997->73998 74011 4e904d 73998->74011 74026 4e8b80 VariantClear 73998->74026 74000 4e9144 74005 4c2f88 3 API calls 74000->74005 74009 4e917b 74000->74009 74001 4e9244 74031 4c43b7 5 API calls 2 library calls 74001->74031 74002 4e91b0 74029 4e8b9c 10 API calls 2 library calls 74002->74029 74005->74009 74006 4e91c0 74006->73994 74015 4c2f88 3 API calls 74006->74015 74007 4e9100 74010 4c965d VariantClear 74007->74010 74008 4e90d6 74008->74007 74013 4e90e7 74008->74013 74028 4e8f2e 9 API calls 74008->74028 74009->74001 74009->74002 74010->73994 74011->73994 74011->74000 74011->74007 74011->74008 74027 4c3097 malloc _CxxThrowException free SysStringLen ctype 74011->74027 74017 4c965d VariantClear 74013->74017 74020 4e91ff 74015->74020 74016 4e9112 74016->74007 74018 4e8b64 VariantClear 74016->74018 74017->74000 74019 4e9123 74018->74019 74019->74007 74019->74013 74020->73994 74030 4c50ff free ctype 74020->74030 74023 4e8b05 VariantClear 74022->74023 74024 4e8b6f 74023->74024 74024->73994 74025 4e8f2e 9 API calls 74024->74025 74025->73996 74026->74011 74027->74008 74028->74016 74029->74006 74030->73994 74031->73994 74032->73817 74033->73827 74034->73832 74035->73835 74036->73840 74037->73849 74038->73830 74039->73830 74040->73848 74041->73848 74042->73847 74043->73855 74044->73821 74046 4d54ca __EH_prolog 74045->74046 74047 4d5507 74046->74047 74048 4c965d VariantClear 74046->74048 74049 4c965d VariantClear 74047->74049 74051 4d5528 74048->74051 74050 4d5567 74049->74050 74050->73865 74050->73866 74051->74047 74052 4d5572 74051->74052 74053 4c965d VariantClear 74052->74053 74054 4d558e 74053->74054 74201 4d4cac VariantClear __EH_prolog 74054->74201 74056 4d55a1 74056->74050 74202 4d4cac VariantClear __EH_prolog 74056->74202 74058 4d55b8 74058->74050 74203 4d4cac VariantClear __EH_prolog 74058->74203 74062 4d563a __EH_prolog 74060->74062 74064 4d5679 74062->74064 74204 4e3558 10 API calls 2 library calls 74062->74204 74063 4d571a 74063->73870 74064->74063 74065 4c2f1c 2 API calls 74064->74065 74066 4d5696 74065->74066 74205 4e3333 malloc _CxxThrowException free 74066->74205 74068 4d56a2 74069 4d56ad 74068->74069 74070 4d56c5 74068->74070 74206 4d7853 5 API calls 2 library calls 74069->74206 74072 4d56b4 74070->74072 74207 4c4adf wcscmp 74070->74207 74073 4d5707 74072->74073 74209 4c1089 malloc _CxxThrowException free _CxxThrowException 74072->74209 74210 4c31e5 malloc _CxxThrowException free _CxxThrowException 74073->74210 74077 4d56d2 74077->74072 74208 4d7853 5 API calls 2 library calls 74077->74208 74078 4d5712 74211 4c1e40 free 74078->74211 74082 4d58c8 __EH_prolog 74081->74082 74083 4c2e04 2 API calls 74082->74083 74084 4d58e9 74083->74084 74085 4c6c72 44 API calls 74084->74085 74158->73872 74159->73877 74160->73878 74161->73898 74167 4c5b37 __EH_prolog 74166->74167 74168 4c5b51 RemoveDirectoryW 74167->74168 74169 4c5b5c 74167->74169 74168->74169 74199->73901 74200->73865 74201->74056 74202->74058 74203->74050 74204->74064 74205->74068 74206->74072 74207->74077 74208->74072 74209->74073 74210->74078 74211->74063 74260->73984 74261->73982 74262->73982 74263 4ea7c5 74265 4ea7e9 74263->74265 74272 4ea96b 74263->74272 74264 4eade3 74368 4c1e40 free 74264->74368 74267 4ea952 74265->74267 74289 5004d2 5 API calls 74265->74289 74348 4ee0b0 6 API calls 74265->74348 74267->74272 74349 4ee0b0 6 API calls 74267->74349 74268 4eadeb 74369 4c1e40 free 74268->74369 74272->74264 74287 4eac1e 74272->74287 74296 4eac6c 74272->74296 74310 4ead88 74272->74310 74314 4ead17 74272->74314 74316 4eacbc 74272->74316 74330 4d101c 74272->74330 74333 4e98f2 74272->74333 74339 4ecc6f 74272->74339 74350 4e9531 5 API calls __EH_prolog 74272->74350 74351 4e80c1 malloc _CxxThrowException __EH_prolog 74272->74351 74352 4ec820 5 API calls 2 library calls 74272->74352 74353 4e814d 6 API calls 74272->74353 74354 4e8125 free ctype 74272->74354 74273 4eae99 74275 4c1e0c ctype 2 API calls 74273->74275 74274 5004d2 malloc _CxxThrowException free _CxxThrowException memcpy 74278 4eadf3 74274->74278 74279 4eaea9 memset memset 74275->74279 74278->74273 74278->74274 74281 4eaedd 74279->74281 74280 4eac26 74356 4c1e40 free 74280->74356 74370 4c1e40 free 74281->74370 74286 4eaee5 74371 4c1e40 free 74286->74371 74355 4c1e40 free 74287->74355 74289->74265 74290 4eaef0 74372 4c1e40 free 74290->74372 74294 4ec430 74374 4c1e40 free 74294->74374 74357 4c1e40 free 74296->74357 74297 4ec438 74375 4c1e40 free 74297->74375 74301 4ec443 74376 4c1e40 free 74301->74376 74302 4eac85 74358 4c1e40 free 74302->74358 74304 4ec44e 74377 4c1e40 free 74304->74377 74306 4eac2e 74373 4c1e40 free 74306->74373 74308 4ec459 74365 4e8125 free ctype 74310->74365 74362 4e8125 free ctype 74314->74362 74315 4ead93 74366 4c1e40 free 74315->74366 74359 4e8125 free ctype 74316->74359 74320 4eadac 74367 4c1e40 free 74320->74367 74321 4eacc7 74360 4c1e40 free 74321->74360 74322 4ead3c 74363 4c1e40 free 74322->74363 74326 4ead55 74364 4c1e40 free 74326->74364 74327 4eace0 74361 4c1e40 free 74327->74361 74378 4cb95a 74330->74378 74334 4e98fc __EH_prolog 74333->74334 74385 4e9987 74334->74385 74336 4e9970 74336->74272 74337 4e9911 74337->74336 74389 4eef8d 12 API calls 2 library calls 74337->74389 74429 50cf91 74339->74429 74437 50f445 74339->74437 74443 505505 74339->74443 74340 4ecc8b 74344 4ecccb 74340->74344 74447 4e979e VariantClear __EH_prolog 74340->74447 74342 4eccb1 74342->74344 74448 4ecae9 VariantClear 74342->74448 74344->74272 74348->74265 74349->74272 74350->74272 74351->74272 74352->74272 74353->74272 74354->74272 74355->74280 74356->74306 74357->74302 74358->74306 74359->74321 74360->74327 74361->74306 74362->74322 74363->74326 74364->74306 74365->74315 74366->74320 74367->74306 74368->74268 74369->74278 74370->74286 74371->74290 74372->74306 74373->74294 74374->74297 74375->74301 74376->74304 74377->74308 74379 4cb969 74378->74379 74380 4cb97d 74378->74380 74379->74380 74381 4c7731 5 API calls 74379->74381 74380->74272 74382 4cb9ee 74381->74382 74382->74380 74384 4cb8ec GetLastError 74382->74384 74384->74380 74386 4e9991 __EH_prolog 74385->74386 74390 5180aa 74386->74390 74387 4e99a8 74387->74337 74389->74336 74391 5180b4 __EH_prolog 74390->74391 74392 4c1e0c ctype 2 API calls 74391->74392 74393 5180bf 74392->74393 74394 5180d3 74393->74394 74396 50bdb5 74393->74396 74394->74387 74397 50bdbf __EH_prolog 74396->74397 74402 50be69 74397->74402 74399 50bdef 74400 4c2e04 2 API calls 74399->74400 74401 50be16 74400->74401 74401->74394 74403 50be73 __EH_prolog 74402->74403 74406 505e2b 74403->74406 74405 50be7f 74405->74399 74407 505e35 __EH_prolog 74406->74407 74412 5008b6 74407->74412 74409 505e41 74417 4ddfc9 malloc _CxxThrowException __EH_prolog 74409->74417 74411 505e57 74411->74405 74418 4c9c60 74412->74418 74414 5008c4 74423 4c9c8f GetModuleHandleA GetProcAddress 74414->74423 74416 5008f3 __aulldiv 74416->74409 74417->74411 74428 4c9c4d GetCurrentProcess GetProcessAffinityMask 74418->74428 74420 4c9c6e 74421 4c9c80 GetSystemInfo 74420->74421 74422 4c9c79 74420->74422 74421->74414 74422->74414 74424 4c9cef GlobalMemoryStatus 74423->74424 74425 4c9cc4 GlobalMemoryStatusEx 74423->74425 74426 4c9d08 74424->74426 74425->74424 74427 4c9cce 74425->74427 74426->74427 74427->74416 74428->74420 74430 50cf9b __EH_prolog 74429->74430 74431 50f445 14 API calls 74430->74431 74432 50d018 74431->74432 74434 50d01f 74432->74434 74449 511511 74432->74449 74434->74340 74435 50d08b 74435->74434 74455 512c5d 11 API calls 2 library calls 74435->74455 74438 50f455 74437->74438 74844 4d1092 74438->74844 74441 50f478 74441->74340 74444 50550f __EH_prolog 74443->74444 74857 504e8a 74444->74857 74447->74342 74448->74344 74450 51151b __EH_prolog 74449->74450 74456 5110d3 74450->74456 74453 511552 _CxxThrowException 74453->74435 74454 511589 74454->74435 74455->74434 74457 5110dd __EH_prolog 74456->74457 74488 50d1b7 74457->74488 74460 5112ef 74460->74453 74460->74454 74461 5111f4 74461->74460 74487 4cb95a 6 API calls 74461->74487 74462 51139e 74462->74460 74463 5113c4 74462->74463 74464 4c1e0c ctype 2 API calls 74462->74464 74495 4d1168 74463->74495 74464->74463 74466 4d1168 10 API calls 74466->74461 74468 5113da 74470 5113f9 74468->74470 74480 5113de 74468->74480 74533 50ef67 _CxxThrowException 74468->74533 74498 50f047 74470->74498 74473 5114ba 74537 510943 50 API calls 2 library calls 74473->74537 74475 511450 74502 5106ae 74475->74502 74477 5114e7 74538 4f2db9 free ctype 74477->74538 74539 4c1e40 free 74480->74539 74487->74462 74540 50d23c 74488->74540 74490 50d1ed 74547 4c1e40 free 74490->74547 74492 50d209 74548 4c1e40 free 74492->74548 74494 50d21c 74494->74460 74494->74461 74494->74466 74576 4d111c 74495->74576 74499 50f063 74498->74499 74500 50f072 74499->74500 74612 50ef67 _CxxThrowException 74499->74612 74500->74473 74500->74475 74534 50ef67 _CxxThrowException 74500->74534 74503 5106b8 __EH_prolog 74502->74503 74613 5103f4 74503->74613 74529 510715 74533->74470 74534->74475 74537->74477 74538->74480 74539->74460 74549 50d2b8 74540->74549 74545 50d25e 74566 4c1e40 free 74545->74566 74546 50d275 74546->74490 74547->74492 74548->74494 74568 4c1e40 free 74549->74568 74551 50d2c8 74569 4c1e40 free 74551->74569 74553 50d2dc 74570 4c1e40 free 74553->74570 74555 50d2e7 74571 4c1e40 free 74555->74571 74557 50d2f2 74572 4c1e40 free 74557->74572 74559 50d2fd 74573 4c1e40 free 74559->74573 74561 50d308 74574 4c1e40 free 74561->74574 74563 50d313 74564 50d246 74563->74564 74575 4c1e40 free 74563->74575 74564->74545 74567 4c1e40 free 74564->74567 74566->74546 74567->74545 74568->74551 74569->74553 74570->74555 74571->74557 74572->74559 74573->74561 74574->74563 74575->74564 74578 4d1130 74576->74578 74577 4d115f 74577->74468 74578->74577 74581 4cb668 74578->74581 74600 4cd331 74578->74600 74589 4cb675 74581->74589 74584 4cb8aa GetLastError 74587 4cb6aa 74584->74587 74585 4cb81b 74585->74587 74590 4cb839 memcpy 74585->74590 74586 4c7731 5 API calls 74586->74589 74587->74578 74588 4cb7e7 74592 4c7731 5 API calls 74588->74592 74598 4cb864 74588->74598 74589->74585 74589->74586 74589->74587 74589->74588 74591 4cb811 74589->74591 74593 4cb7ad 74589->74593 74589->74598 74609 4c7b4f ReadFile 74589->74609 74590->74587 74610 4cb8ec GetLastError 74591->74610 74595 4cb80d 74592->74595 74593->74589 74599 4cb8c7 74593->74599 74608 546a20 VirtualAlloc 74593->74608 74595->74591 74595->74598 74604 4c7b7c 74598->74604 74599->74587 74601 4cd355 74600->74601 74602 4cd374 74601->74602 74603 4cb668 10 API calls 74601->74603 74602->74578 74603->74602 74605 4c7b89 74604->74605 74611 4c7b4f ReadFile 74605->74611 74607 4c7b9a 74607->74584 74607->74587 74608->74593 74609->74589 74610->74587 74611->74607 74612->74500 74614 50f047 _CxxThrowException 74613->74614 74615 510407 74614->74615 74616 50f047 _CxxThrowException 74615->74616 74617 510475 74615->74617 74623 510421 74616->74623 74618 51049a 74617->74618 74751 50fa3f 22 API calls 2 library calls 74617->74751 74627 5104b8 74618->74627 74752 51159a malloc _CxxThrowException free ctype 74618->74752 74619 5104e8 74754 517c4a malloc _CxxThrowException free ctype 74619->74754 74622 5104cd 74753 50fff0 9 API calls 2 library calls 74622->74753 74624 51043e 74623->74624 74748 50ef67 _CxxThrowException 74623->74748 74749 50f93c 7 API calls 2 library calls 74624->74749 74626 510492 74629 50f047 _CxxThrowException 74626->74629 74627->74619 74627->74622 74629->74618 74631 510446 74635 51046d 74631->74635 74750 50ef67 _CxxThrowException 74631->74750 74632 5104db 74636 50f047 _CxxThrowException 74632->74636 74634 5104e3 74639 51054a 74634->74639 74756 50ef67 _CxxThrowException 74634->74756 74638 50f047 _CxxThrowException 74635->74638 74636->74634 74637 5104f3 74637->74634 74755 4d089e malloc _CxxThrowException free _CxxThrowException memcpy 74637->74755 74638->74617 74639->74529 74748->74624 74749->74631 74750->74635 74751->74626 74752->74627 74753->74632 74754->74637 74755->74637 74756->74639 74846 4cb95a 6 API calls 74844->74846 74845 4d10aa 74845->74441 74847 50f1b2 74845->74847 74846->74845 74848 50f1bc __EH_prolog 74847->74848 74849 4d1168 10 API calls 74848->74849 74850 50f1d3 74849->74850 74851 50f231 memcpy 74850->74851 74852 50f21c _CxxThrowException 74850->74852 74853 50f1e6 74850->74853 74855 50f24c 74851->74855 74852->74851 74853->74441 74854 50f2f0 memmove 74854->74855 74855->74853 74855->74854 74856 50f31a memcpy 74855->74856 74856->74853 74858 504e94 __EH_prolog 74857->74858 74859 4c2e04 2 API calls 74858->74859 74906 504f1d 74858->74906 74860 504ed7 74859->74860 74989 4d7fc5 74860->74989 74862 504f37 74864 504f41 74862->74864 74865 504f63 74862->74865 74863 504f0a 74866 4c965d VariantClear 74863->74866 74867 4c965d VariantClear 74864->74867 74868 4c2f88 3 API calls 74865->74868 74869 504f15 74866->74869 74870 504f4c 74867->74870 74871 504f71 74868->74871 75010 4c1e40 free 74869->75010 75011 4c1e40 free 74870->75011 74874 4c965d VariantClear 74871->74874 74875 504f80 74874->74875 75012 4d5bcf malloc _CxxThrowException 74875->75012 74877 504f9a 74878 4c2e47 2 API calls 74877->74878 74879 504fad 74878->74879 74880 4c2f1c 2 API calls 74879->74880 74881 504fbd 74880->74881 74882 4c2e04 2 API calls 74881->74882 74883 504fd1 74882->74883 74884 4c2e04 2 API calls 74883->74884 74885 504fdd 74884->74885 74886 505404 74885->74886 75013 4d5bcf malloc _CxxThrowException 74885->75013 75057 4c1e40 free 74886->75057 74888 50540c 75058 4c1e40 free 74888->75058 74890 505414 75059 4c1e40 free 74890->75059 74893 505099 74895 4c2da9 2 API calls 74893->74895 74894 50541c 75060 4c1e40 free 74894->75060 74897 5050a9 74895->74897 74899 4c2fec 3 API calls 74897->74899 74898 505424 75061 4c1e40 free 74898->75061 74901 5050b6 74899->74901 75014 4c1e40 free 74901->75014 74902 50542c 75062 4c1e40 free 74902->75062 74905 5050be 75015 4c1e40 free 74905->75015 74906->74340 74908 5050cd 74909 4c2f88 3 API calls 74908->74909 74910 5050e3 74909->74910 74911 505100 74910->74911 74912 5050f1 74910->74912 75022 4c3044 malloc _CxxThrowException free ctype 74911->75022 75016 4c30ea 74912->75016 74915 5050fe 75023 4d1029 6 API calls 74915->75023 74917 50511a 74918 505120 74917->74918 74919 50516b 74917->74919 75024 4c1e40 free 74918->75024 75030 4d089e malloc _CxxThrowException free _CxxThrowException memcpy 74919->75030 74922 505128 75025 4c1e40 free 74922->75025 74923 505187 74926 5004d2 5 API calls 74923->74926 74925 505130 75026 4c1e40 free 74925->75026 74928 5051ba 74926->74928 75031 500516 malloc _CxxThrowException ctype 74928->75031 74929 505138 75027 4c1e40 free 74929->75027 74932 5051c5 74937 5051f5 74932->74937 74938 50522d 74932->74938 74933 505140 75028 4c1e40 free 74933->75028 74935 505148 75029 4c1e40 free 74935->75029 75032 4c1e40 free 74937->75032 74939 4c2e04 2 API calls 74938->74939 74984 505235 74939->74984 74941 5051fd 75033 4c1e40 free 74941->75033 74944 505205 75034 4c1e40 free 74944->75034 74945 50532e 75043 4c1e40 free 74945->75043 74948 50520d 75035 4c1e40 free 74948->75035 74949 505347 74949->74886 74951 505358 74949->74951 75044 4c1e40 free 74951->75044 74954 5053a3 75050 4c1e40 free 74954->75050 74964 5053bc 75051 4c1e40 free 74964->75051 74969 5053c4 74971 5004d2 5 API calls 74971->74984 74984->74945 74984->74954 74984->74971 74987 4c2e04 2 API calls 74984->74987 75038 50545c 5 API calls 2 library calls 74984->75038 75039 4d1029 6 API calls 74984->75039 75040 4d089e malloc _CxxThrowException free _CxxThrowException memcpy 74984->75040 75041 500516 malloc _CxxThrowException ctype 74984->75041 75042 4c1e40 free 74984->75042 74987->74984 74990 4d7fcf __EH_prolog 74989->74990 74992 4d7ff4 74990->74992 74994 4d8061 74990->74994 74995 4d805c 74990->74995 74996 4d8019 74990->74996 74991 4d800a 75072 4c9736 VariantClear 74991->75072 74992->74991 75063 4c950d 74992->75063 74994->74995 75007 4d8025 74994->75007 75071 4c9630 VariantClear 74995->75071 74996->74992 74999 4d801e 74996->74999 74997 4d80b8 75000 4c965d VariantClear 74997->75000 75001 4d8042 74999->75001 75002 4d8022 74999->75002 75004 4d80c0 75000->75004 75069 4c9597 VariantClear 75001->75069 75005 4d8032 75002->75005 75002->75007 75004->74862 75004->74863 75068 4c9604 VariantClear 75005->75068 75007->74991 75070 4c95df VariantClear 75007->75070 75010->74906 75011->74906 75012->74877 75013->74893 75014->74905 75015->74908 75017 4c30fd 75016->75017 75017->75017 75018 4c1e0c ctype 2 API calls 75017->75018 75021 4c311d 75017->75021 75019 4c3113 75018->75019 75079 4c1e40 free 75019->75079 75021->74915 75022->74915 75023->74917 75024->74922 75025->74925 75026->74929 75027->74933 75028->74935 75029->74906 75030->74923 75031->74932 75032->74941 75033->74944 75034->74948 75038->74984 75039->74984 75040->74984 75041->74984 75042->74984 75043->74949 75050->74964 75051->74969 75057->74888 75058->74890 75059->74894 75060->74898 75061->74902 75062->74906 75073 4c9767 75063->75073 75065 4c9518 SysAllocStringLen 75066 4c954f 75065->75066 75067 4c9539 _CxxThrowException 75065->75067 75066->74991 75067->75066 75068->74991 75069->74991 75070->74991 75071->74991 75072->74997 75074 4c9779 75073->75074 75075 4c9770 75073->75075 75078 4c9686 VariantClear 75074->75078 75075->75065 75077 4c9780 75077->75065 75078->75077 75079->75021 75080 4ed3c2 75081 4ed3e9 75080->75081 75082 4c965d VariantClear 75081->75082 75083 4ed42a 75082->75083 75084 4ed883 2 API calls 75083->75084 75085 4ed4b1 75084->75085 75171 4e8d4a 75085->75171 75088 4e8b05 VariantClear 75091 4ed4e3 75088->75091 75188 4e2a72 75091->75188 75092 4c2fec 3 API calls 75093 4ed594 75092->75093 75094 4ed5cd 75093->75094 75095 4ed742 75093->75095 75097 4ed7d9 75094->75097 75192 4e9317 75094->75192 75219 4ecd49 malloc _CxxThrowException free 75095->75219 75222 4c1e40 free 75097->75222 75098 4ed754 75101 4c2fec 3 API calls 75098->75101 75104 4ed763 75101->75104 75102 4ed7e1 75223 4c1e40 free 75102->75223 75220 4c1e40 free 75104->75220 75106 4ed5f1 75109 5004d2 5 API calls 75106->75109 75108 4ed7e9 75111 4e326b free 75108->75111 75112 4ed5f9 75109->75112 75110 4ed76b 75221 4c1e40 free 75110->75221 75122 4ed69a 75111->75122 75198 4ee332 75112->75198 75116 4ed773 75118 4e326b free 75116->75118 75118->75122 75119 4ed610 75205 4c1e40 free 75119->75205 75121 4ed618 75206 4e326b 75121->75206 75124 4ed2a8 75124->75122 75146 4ed883 75124->75146 75147 4ed88d __EH_prolog 75146->75147 75148 4c2e04 2 API calls 75147->75148 75149 4ed8c6 75148->75149 75150 4c2e04 2 API calls 75149->75150 75151 4ed8d2 75150->75151 75152 4c2e04 2 API calls 75151->75152 75153 4ed8de 75152->75153 75224 4e2b63 75153->75224 75176 4e8d54 __EH_prolog 75171->75176 75172 4e8e09 75174 4c965d VariantClear 75172->75174 75173 4e8e15 75175 4e8e2d 75173->75175 75177 4e8e5e 75173->75177 75178 4e8e21 75173->75178 75187 4e8e11 75174->75187 75175->75177 75179 4e8e2b 75175->75179 75180 4e8da4 75176->75180 75232 4c2b55 malloc _CxxThrowException free _CxxThrowException ctype 75176->75232 75181 4c965d VariantClear 75177->75181 75233 4c3097 malloc _CxxThrowException free SysStringLen ctype 75178->75233 75184 4c965d VariantClear 75179->75184 75180->75172 75180->75173 75180->75187 75181->75187 75185 4e8e47 75184->75185 75185->75187 75234 4e8e7c 6 API calls __EH_prolog 75185->75234 75187->75088 75189 4e2a82 75188->75189 75190 4c2e04 2 API calls 75189->75190 75191 4e2a9f 75190->75191 75191->75092 75194 4e9321 __EH_prolog 75192->75194 75193 4c965d VariantClear 75195 4e93d0 75193->75195 75197 4e9360 75194->75197 75235 4c9686 VariantClear 75194->75235 75195->75097 75195->75106 75197->75193 75199 4ee33c __EH_prolog 75198->75199 75200 4c1e0c ctype 2 API calls 75199->75200 75201 4ee34a 75200->75201 75202 4ed608 75201->75202 75236 4ee3d1 malloc _CxxThrowException __EH_prolog 75201->75236 75204 4c1e40 free 75202->75204 75204->75119 75205->75121 75207 4e3275 __EH_prolog 75206->75207 75237 4e2c0b 75207->75237 75210 4e2c0b ctype free 75211 4e3296 75210->75211 75242 4c1e40 free 75211->75242 75213 4e329e 75243 4c1e40 free 75213->75243 75215 4e32a6 75244 4c1e40 free 75215->75244 75217 4e32ae 75217->75124 75219->75098 75220->75110 75221->75116 75222->75102 75223->75108 75225 4e2b6d __EH_prolog 75224->75225 75226 4c2e04 2 API calls 75225->75226 75227 4e2b9a 75226->75227 75228 4c2e04 2 API calls 75227->75228 75232->75180 75233->75179 75234->75187 75235->75197 75236->75202 75245 4c1e40 free 75237->75245 75239 4e2c16 75246 4c1e40 free 75239->75246 75241 4e2c1e 75241->75210 75242->75213 75243->75215 75244->75217 75245->75239 75246->75241 75247 546bc6 75248 546bcd 75247->75248 75249 546bca 75247->75249 75248->75249 75250 546bd1 malloc 75248->75250 75250->75249 75251 4d1ade 75252 4d1ae8 __EH_prolog 75251->75252 75302 4c13f5 75252->75302 75255 4d1b32 6 API calls 75257 4d1b8d 75255->75257 75266 4d1bf8 75257->75266 75320 4d1ea4 9 API calls 75257->75320 75258 4d1b24 _CxxThrowException 75258->75255 75260 4d1bdf 75321 4c27bb 75260->75321 75264 4d1c89 75316 4d1eb9 75264->75316 75266->75264 75328 4e1d73 5 API calls __EH_prolog 75266->75328 75269 4d1cb2 _CxxThrowException 75269->75264 75303 4c13ff __EH_prolog 75302->75303 75304 4e7ebb free 75303->75304 75305 4c142b 75304->75305 75306 4c1438 75305->75306 75329 4c1212 free ctype 75305->75329 75308 4c1e0c ctype 2 API calls 75306->75308 75309 4c144d 75308->75309 75310 5004d2 5 API calls 75309->75310 75313 4c1507 75309->75313 75315 4c14f4 75309->75315 75330 4c1265 5 API calls 2 library calls 75309->75330 75331 4c1524 malloc _CxxThrowException __EH_prolog ctype 75309->75331 75310->75309 75314 4c2fec 3 API calls 75313->75314 75314->75315 75315->75255 75319 4e1d73 5 API calls __EH_prolog 75315->75319 75332 4c9313 GetCurrentProcess OpenProcessToken 75316->75332 75319->75258 75320->75260 75322 4c27c7 75321->75322 75324 4c27e3 75321->75324 75323 4c1e0c ctype 2 API calls 75322->75323 75322->75324 75325 4c27da 75323->75325 75327 4c1e40 free 75324->75327 75339 4c1e40 free 75325->75339 75327->75266 75328->75269 75329->75306 75330->75309 75331->75309 75333 4c933a LookupPrivilegeValueW 75332->75333 75334 4c9390 75332->75334 75335 4c934c AdjustTokenPrivileges 75333->75335 75336 4c9382 75333->75336 75335->75336 75337 4c9372 GetLastError 75335->75337 75338 4c9385 CloseHandle 75336->75338 75337->75338 75338->75334 75339->75324 75340 500343 75345 50035f 75340->75345 75343 500358 75346 500369 __EH_prolog 75345->75346 75362 4d139e 75346->75362 75351 500143 ctype free 75352 50039a 75351->75352 75372 4c1e40 free 75352->75372 75354 5003a2 75373 4c1e40 free 75354->75373 75356 5003aa 75374 5003d8 75356->75374 75361 4c1e40 free 75361->75343 75363 4d13ae 75362->75363 75364 4d13b3 75362->75364 75390 557ea0 SetEvent GetLastError 75363->75390 75366 5001c4 75364->75366 75367 5001ce __EH_prolog 75366->75367 75370 500203 75367->75370 75392 4c1e40 free 75367->75392 75369 50020b 75369->75351 75391 4c1e40 free 75370->75391 75372->75354 75373->75356 75375 5003e2 __EH_prolog 75374->75375 75376 4d139e ctype 2 API calls 75375->75376 75377 5003fb 75376->75377 75393 557d50 75377->75393 75379 500403 75380 557d50 ctype 2 API calls 75379->75380 75381 50040b 75380->75381 75382 557d50 ctype 2 API calls 75381->75382 75383 5003b7 75382->75383 75384 50004a 75383->75384 75385 500054 __EH_prolog 75384->75385 75399 4c1e40 free 75385->75399 75387 500067 75400 4c1e40 free 75387->75400 75389 50006f 75389->75343 75389->75361 75390->75364 75391->75369 75392->75367 75394 557d59 CloseHandle 75393->75394 75395 557d7b 75393->75395 75396 557d75 75394->75396 75397 557d64 GetLastError 75394->75397 75395->75379 75396->75395 75397->75395 75398 557d6e 75397->75398 75398->75379 75399->75387 75400->75389 75401 4d459e 75402 4d45ab 75401->75402 75406 4d45bc 75401->75406 75402->75406 75407 4d45c3 75402->75407 75408 4d45cd __EH_prolog 75407->75408 75436 4d79b2 free ctype 75408->75436 75410 4d45e8 75437 4c1e40 free 75410->75437 75412 4d45f3 75438 4f2db9 free ctype 75412->75438 75414 4d4609 75439 4c1e40 free 75414->75439 75416 4d4610 75440 4c1e40 free 75416->75440 75418 4d461b 75441 4c1e40 free 75418->75441 75420 4d4626 75442 4d794c free ctype 75420->75442 75422 4d4638 75443 4f2db9 free ctype 75422->75443 75424 4d465b 75444 4c1e40 free 75424->75444 75426 4d468e 75445 4c1e40 free 75426->75445 75428 4d46ae 75446 4d4733 free __EH_prolog ctype 75428->75446 75430 4d46be 75447 4c1e40 free 75430->75447 75432 4d46e8 75448 4c1e40 free 75432->75448 75434 4d45b6 75435 4c1e40 free 75434->75435 75435->75406 75436->75410 75437->75412 75438->75414 75439->75416 75440->75418 75441->75420 75442->75422 75443->75424 75444->75426 75445->75428 75446->75430 75447->75432 75448->75434 75449 4cb5d9 75450 4cb5e6 75449->75450 75454 4cb5f7 75449->75454 75450->75454 75455 4cb5fe 75450->75455 75456 4cb608 __EH_prolog 75455->75456 75462 546a40 VirtualFree 75456->75462 75458 4cb63d 75459 4c764c CloseHandle 75458->75459 75460 4cb5f1 75459->75460 75461 4c1e40 free 75460->75461 75461->75454 75462->75458 75463 4facd3 75464 4facf1 75463->75464 75465 4face0 75463->75465 75465->75464 75469 4facf8 75465->75469 75471 4fc0b3 __EH_prolog 75469->75471 75470 4fc0ed 75486 4c1e40 free 75470->75486 75471->75470 75477 4e7193 75471->75477 75485 4c1e40 free 75471->75485 75473 4faceb 75476 4c1e40 free 75473->75476 75476->75464 75478 4e719d __EH_prolog 75477->75478 75487 4f2db9 free ctype 75478->75487 75480 4e71b3 75488 4e71d5 free __EH_prolog ctype 75480->75488 75482 4e71bf 75489 4c1e40 free 75482->75489 75484 4e71c7 75484->75471 75485->75471 75486->75473 75487->75480 75488->75482 75489->75484 75490 4c42d1 75491 4c42bd 75490->75491 75492 4c42c5 75491->75492 75493 4c1e0c ctype 2 API calls 75491->75493 75493->75492 75494 508eb1 75499 508ed1 75494->75499 75497 508ec9 75500 508edb __EH_prolog 75499->75500 75508 509267 75500->75508 75504 508efd 75513 4fe5f1 free ctype 75504->75513 75506 508eb9 75506->75497 75507 4c1e40 free 75506->75507 75507->75497 75509 509271 __EH_prolog 75508->75509 75514 4c1e40 free 75509->75514 75511 508ef1 75512 50922b free CloseHandle GetLastError ctype 75511->75512 75512->75504 75513->75506 75514->75511 75515 4fa42c 75516 4fa449 75515->75516 75517 4fa435 fputs 75515->75517 75674 4f545d 75516->75674 75673 4c1fa0 fputc 75517->75673 75521 4c2e04 2 API calls 75522 4fa4a1 75521->75522 75678 4e1858 75522->75678 75524 4fa4c9 75740 4c1e40 free 75524->75740 75526 4fa4d8 75527 4fa4ee 75526->75527 75741 4fc7d7 75526->75741 75529 4fa50e 75527->75529 75749 4f57fb 75527->75749 75759 4fc73e 75529->75759 75534 4fac17 75937 4f2db9 free ctype 75534->75937 75535 4c1e0c ctype 2 API calls 75537 4fa53a 75535->75537 75542 4fa54d 75537->75542 75895 4fb0fa malloc _CxxThrowException __EH_prolog 75537->75895 75538 4fac23 75540 4fac3a 75538->75540 75541 4fac35 75538->75541 75939 4fb96d _CxxThrowException 75540->75939 75938 4fb988 33 API calls __aulldiv 75541->75938 75546 4c2fec 3 API calls 75542->75546 75545 4fac42 75940 4c1e40 free 75545->75940 75551 4fa586 75546->75551 75548 4fac4d 75941 4e3247 75548->75941 75777 4fad06 75551->75777 75650 4faae5 75936 4f2db9 free ctype 75650->75936 75673->75516 75675 4f5466 75674->75675 75676 4f5473 75674->75676 75951 4c275e malloc _CxxThrowException free ctype 75675->75951 75676->75521 75679 4e1862 __EH_prolog 75678->75679 75952 4e021a 75679->75952 75684 4e18b9 75966 4e1aa5 free __EH_prolog ctype 75684->75966 75686 4e1935 75971 4e1aa5 free __EH_prolog ctype 75686->75971 75687 4e18c7 75967 4f2db9 free ctype 75687->75967 75690 4e1944 75712 4e1966 75690->75712 75972 4e1d73 5 API calls __EH_prolog 75690->75972 75692 4e18d3 75692->75524 75694 5004d2 5 API calls 75699 4e18db 75694->75699 75695 4e1958 _CxxThrowException 75695->75712 75697 4e19be 75975 4ef1f1 malloc _CxxThrowException free _CxxThrowException 75697->75975 75698 4c2e04 2 API calls 75698->75712 75699->75686 75699->75694 75968 4e0144 malloc _CxxThrowException free _CxxThrowException 75699->75968 75969 4c1524 malloc _CxxThrowException __EH_prolog ctype 75699->75969 75970 4c1e40 free 75699->75970 75702 4e19d6 75704 4e7ebb free 75702->75704 75703 4c631f 9 API calls 75703->75712 75705 4e19e1 75704->75705 75707 4d12d4 4 API calls 75705->75707 75706 5004d2 5 API calls 75706->75712 75708 4e19ea 75707->75708 75709 4e7ebb free 75708->75709 75711 4e19f7 75709->75711 75713 4d12d4 4 API calls 75711->75713 75712->75697 75712->75698 75712->75703 75712->75706 75973 4c1524 malloc _CxxThrowException __EH_prolog ctype 75712->75973 75974 4c1e40 free 75712->75974 75722 4e19ff 75713->75722 75715 4e1a4f 75977 4c1e40 free 75715->75977 75716 4c1524 malloc _CxxThrowException 75716->75722 75718 4e1a57 75978 4f2db9 free ctype 75718->75978 75720 4e1a64 75979 4f2db9 free ctype 75720->75979 75722->75715 75722->75716 75724 4e1a83 75722->75724 75976 4c42e3 CharUpperW 75722->75976 75980 4e1d73 5 API calls __EH_prolog 75724->75980 75726 4e1a97 _CxxThrowException 75727 4e1aa5 __EH_prolog 75726->75727 75981 4c1e40 free 75727->75981 75729 4e1ac8 75982 4e02e8 free ctype 75729->75982 75731 4e1ad1 75983 4e1eab free __EH_prolog ctype 75731->75983 75733 4e1add 75984 4c1e40 free 75733->75984 75735 4e1ae5 75985 4c1e40 free 75735->75985 75737 4e1aed 75986 4f2db9 free ctype 75737->75986 75739 4e1afa 75739->75524 75740->75526 75742 4fc7ea 75741->75742 75743 4fc849 75741->75743 75744 4fc7fe fputs 75742->75744 76114 4c25cb malloc _CxxThrowException free _CxxThrowException ctype 75742->76114 75745 4fc85a 75743->75745 76115 4c1f91 fflush 75743->76115 75744->75743 75745->75527 75750 4f5805 __EH_prolog 75749->75750 75751 4f5847 75750->75751 76116 4c26dd 75750->76116 75751->75529 75757 4f583f 76136 4c1e40 free 75757->76136 75760 4fc748 __EH_prolog 75759->75760 75761 4fc7d7 ctype 6 API calls 75760->75761 75762 4fc75d 75761->75762 76175 4c1e40 free 75762->76175 75764 4fc768 75765 4e2c0b ctype free 75764->75765 75766 4fc775 75765->75766 76176 4c1e40 free 75766->76176 75768 4fc77d 76177 4c1e40 free 75768->76177 75770 4fc785 76178 4c1e40 free 75770->76178 75772 4fc78d 76179 4c1e40 free 75772->76179 75774 4fc795 75775 4e2c0b ctype free 75774->75775 75776 4fa51d 75775->75776 75776->75535 75776->75650 76180 4fad29 75777->76180 75780 4fbf3e 75781 4c2fec 3 API calls 75780->75781 75782 4fbf85 75781->75782 75895->75542 75936->75534 75937->75538 75938->75540 75939->75545 75940->75548 75942 4e324e 75941->75942 75943 4e3260 75942->75943 76898 4c1e40 free 75942->76898 76897 4c1e40 free 75943->76897 75946 4e3267 75951->75676 75953 4e0224 __EH_prolog 75952->75953 75987 4d3d66 75953->75987 75956 4e062e 75962 4e0638 __EH_prolog 75956->75962 75957 4e06de 76074 4e019a malloc _CxxThrowException free memcpy 75957->76074 75959 4e06e6 76075 4e1453 26 API calls 2 library calls 75959->76075 75961 4e06ee 75961->75684 75961->75699 75962->75957 75962->75961 75963 4e01bc malloc _CxxThrowException free _CxxThrowException memcpy 75962->75963 76003 4e0703 75962->76003 76073 4f2db9 free ctype 75962->76073 75963->75962 75966->75687 75967->75692 75968->75699 75969->75699 75970->75699 75971->75690 75972->75695 75973->75712 75974->75712 75975->75702 75976->75722 75977->75718 75978->75720 75979->75692 75980->75726 75981->75729 75982->75731 75983->75733 75984->75735 75985->75737 75986->75739 75998 55fb10 75987->75998 75989 4d3d70 GetCurrentProcess 75999 4d3e04 75989->75999 75991 4d3d8d OpenProcessToken 75992 4d3d9e LookupPrivilegeValueW 75991->75992 75993 4d3de3 75991->75993 75992->75993 75994 4d3dc0 AdjustTokenPrivileges 75992->75994 75995 4d3e04 CloseHandle 75993->75995 75994->75993 75996 4d3dd5 GetLastError 75994->75996 75997 4d3def 75995->75997 75996->75993 75997->75956 75998->75989 76000 4d3e0d 75999->76000 76001 4d3e11 CloseHandle 75999->76001 76000->75991 76002 4d3e21 76001->76002 76002->75991 76072 4e070d __EH_prolog 76003->76072 76004 4e0e1d 76111 4e0416 18 API calls 2 library calls 76004->76111 76006 4e0d11 76105 4c7496 7 API calls 2 library calls 76006->76105 76007 4c2da9 2 API calls 76007->76072 76010 4e0c13 76102 4c1e40 free 76010->76102 76013 4e0c83 76013->76004 76013->76006 76014 4e0b40 76014->75962 76015 4e0de0 76107 4f2db9 free ctype 76015->76107 76016 4c2da9 2 API calls 76054 4e0ab5 76016->76054 76017 4c2f1c 2 API calls 76047 4e0d29 76017->76047 76019 4e0e47 76020 4e0ea6 76019->76020 76112 4e117d 68 API calls 2 library calls 76019->76112 76113 50ec78 free ctype 76020->76113 76022 4e0df8 76109 4c1e40 free 76022->76109 76023 4c2e04 2 API calls 76023->76072 76024 4c2e04 2 API calls 76024->76054 76027 4e0e02 76110 4f2db9 free ctype 76027->76110 76029 4c2e04 2 API calls 76029->76047 76031 4c2fec 3 API calls 76031->76072 76035 4c2fec 3 API calls 76035->76047 76036 4c2fec 3 API calls 76036->76054 76040 4e050b 44 API calls 76040->76054 76042 4e0df3 76108 4c1e40 free 76042->76108 76043 4e0b26 76094 4c1e40 free 76043->76094 76046 4c1e40 free ctype 76046->76047 76047->76015 76047->76017 76047->76022 76047->76029 76047->76035 76047->76042 76047->76046 76106 4e117d 68 API calls 2 library calls 76047->76106 76049 4e0c79 76104 4c1e40 free 76049->76104 76050 4e0b30 76095 4c1e40 free 76050->76095 76054->76010 76054->76016 76054->76024 76054->76036 76054->76040 76054->76049 76057 4c1e40 free ctype 76054->76057 76093 4c2f4a malloc _CxxThrowException free ctype 76054->76093 76098 4c1089 malloc _CxxThrowException free _CxxThrowException 76054->76098 76099 4e13eb 5 API calls 2 library calls 76054->76099 76100 4e0ef4 68 API calls 2 library calls 76054->76100 76101 4f2db9 free ctype 76054->76101 76103 4e0021 GetLastError 76054->76103 76055 4e0b38 76096 4c1e40 free 76055->76096 76057->76054 76059 4f2db9 free ctype 76059->76072 76064 5004d2 malloc _CxxThrowException free _CxxThrowException memcpy 76064->76072 76067 4e0b48 76097 4f2db9 free ctype 76067->76097 76069 4c1524 malloc _CxxThrowException 76069->76072 76070 4c1e40 free ctype 76070->76072 76072->76007 76072->76013 76072->76014 76072->76023 76072->76031 76072->76043 76072->76054 76072->76059 76072->76064 76072->76067 76072->76069 76072->76070 76076 4c2f4a malloc _CxxThrowException free ctype 76072->76076 76077 4c1089 malloc _CxxThrowException free _CxxThrowException 76072->76077 76078 4e13eb 5 API calls 2 library calls 76072->76078 76079 4e050b 76072->76079 76084 4e0021 GetLastError 76072->76084 76085 4c49bd 9 API calls 2 library calls 76072->76085 76086 4e0306 12 API calls 76072->76086 76087 4dff00 5 API calls 2 library calls 76072->76087 76088 4e057d 16 API calls 2 library calls 76072->76088 76089 4e0f8e 24 API calls 2 library calls 76072->76089 76090 4c472e CharUpperW 76072->76090 76091 4d8984 malloc _CxxThrowException free _CxxThrowException memcpy 76072->76091 76092 4e0ef4 68 API calls 2 library calls 76072->76092 76073->75962 76074->75959 76075->75961 76076->76072 76077->76072 76078->76072 76080 4c6c72 44 API calls 76079->76080 76081 4e051e 76080->76081 76082 4e0575 76081->76082 76083 4c2f88 3 API calls 76081->76083 76082->76072 76083->76082 76084->76072 76085->76072 76086->76072 76087->76072 76088->76072 76089->76072 76090->76072 76091->76072 76092->76072 76093->76054 76094->76050 76095->76055 76096->76014 76097->76043 76098->76054 76099->76054 76100->76054 76101->76054 76102->76014 76103->76054 76104->76013 76105->76047 76106->76047 76107->76014 76108->76022 76109->76027 76110->76014 76111->76019 76112->76019 76113->76014 76114->75744 76115->75745 76117 4c1e0c ctype 2 API calls 76116->76117 76118 4c26ea 76117->76118 76119 4f5678 76118->76119 76120 4f5689 76119->76120 76121 4f56b1 76119->76121 76122 4f5593 6 API calls 76120->76122 76137 4f5593 76121->76137 76125 4f56a5 76122->76125 76151 4c28a1 76125->76151 76128 4f570e fputs 76135 4c1fa0 fputc 76128->76135 76131 4f56ef 76132 4f5593 6 API calls 76131->76132 76133 4f5701 76132->76133 76134 4f5711 6 API calls 76133->76134 76134->76128 76135->75757 76136->75751 76138 4f55ad 76137->76138 76139 4c28a1 5 API calls 76138->76139 76140 4f55b8 76139->76140 76156 4c286d 76140->76156 76143 4c28a1 5 API calls 76144 4f55c7 76143->76144 76145 4f5711 76144->76145 76146 4f56e0 76145->76146 76147 4f5721 76145->76147 76146->76128 76155 4c2881 malloc _CxxThrowException free memcpy _CxxThrowException 76146->76155 76148 4c28a1 5 API calls 76147->76148 76149 4f572b 76148->76149 76164 4f55cd 6 API calls 76149->76164 76152 4c28b0 76151->76152 76165 4c267f 76152->76165 76154 4c28bf 76154->76121 76155->76131 76159 4c1e9d 76156->76159 76160 4c1ead 76159->76160 76161 4c1ea8 76159->76161 76160->76143 76163 4c263c malloc _CxxThrowException free memcpy _CxxThrowException 76161->76163 76163->76160 76164->76146 76166 4c26c2 76165->76166 76168 4c2693 76165->76168 76166->76154 76167 4c26c8 _CxxThrowException 76170 4c26dd 76167->76170 76168->76167 76169 4c26bc 76168->76169 76174 4c2595 malloc _CxxThrowException free memcpy ctype 76169->76174 76172 4c1e0c ctype 2 API calls 76170->76172 76173 4c26ea 76172->76173 76173->76154 76174->76166 76175->75764 76176->75768 76177->75770 76178->75772 76179->75774 76181 4fad33 __EH_prolog 76180->76181 76182 4c2e04 2 API calls 76181->76182 76183 4fad5f 76182->76183 76184 4c2e04 2 API calls 76183->76184 76185 4fa5d8 76184->76185 76185->75780 76897->75946 76898->75942 76902 5469f0 free 76903 55ffb1 __setusermatherr 76904 55ffbd 76903->76904 76908 560068 _controlfp 76904->76908 76906 55ffc2 _initterm __getmainargs _initterm __p___initenv 76907 4fc27c 76906->76907 76908->76906 76909 4d1368 76912 4d136d 76909->76912 76911 4d138c 76912->76911 76915 557d80 WaitForSingleObject 76912->76915 76918 4ff745 76912->76918 76922 557ea0 SetEvent GetLastError 76912->76922 76916 557d8e GetLastError 76915->76916 76917 557d98 76915->76917 76916->76917 76917->76912 76919 4ff74f __EH_prolog 76918->76919 76923 4ff784 76919->76923 76921 4ff765 76921->76912 76922->76912 76924 4ff78e __EH_prolog 76923->76924 76925 4d12d4 4 API calls 76924->76925 76926 4ff7c7 76925->76926 76927 4d12d4 4 API calls 76926->76927 76928 4ff7d4 76927->76928 76929 4ff871 76928->76929 76932 4cc4d6 76928->76932 76938 546b23 VirtualAlloc 76928->76938 76929->76921 76936 4cc4e9 76932->76936 76933 4cc6f3 76933->76929 76934 4d111c 10 API calls 76934->76936 76935 4d11b4 107 API calls 76935->76936 76936->76933 76936->76934 76936->76935 76937 4cc695 memmove 76936->76937 76937->76936 76938->76929 76939 4fc2e6 76940 4fc52f 76939->76940 76943 4f544f SetConsoleCtrlHandler 76940->76943 76942 4fc53b 76943->76942 76944 4c7b20 76947 4c7ab2 76944->76947 76948 4c7ac5 76947->76948 76949 4c759a 12 API calls 76948->76949 76950 4c7ade 76949->76950 76951 4c7b03 76950->76951 76952 4c7aeb SetFileTime 76950->76952 76955 4c7919 76951->76955 76952->76951 76956 4c7aac 76955->76956 76957 4c793c 76955->76957 76957->76956 76958 4c7945 DeviceIoControl 76957->76958 76959 4c79e6 76958->76959 76963 4c7969 76958->76963 76960 4c79ef DeviceIoControl 76959->76960 76964 4c7a14 76959->76964 76961 4c7a22 DeviceIoControl 76960->76961 76960->76964 76962 4c7a44 DeviceIoControl 76961->76962 76961->76964 76962->76964 76963->76959 76967 4c79a7 76963->76967 76964->76956 76972 4c780d 8 API calls ctype 76964->76972 76966 4c7aa5 76968 4c77de 5 API calls 76966->76968 76971 4c9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76967->76971 76968->76956 76970 4c79d0 76970->76959 76971->76970 76972->76966 76973 4cc3bd 76974 4cc3db 76973->76974 76975 4cc3ca 76973->76975 76975->76974 76977 4c1e40 free 76975->76977 76977->76974 76978 4f993d 77062 4fb5b1 76978->77062 76981 4f9963 77068 4d1f33 76981->77068 76983 4c1fb3 11 API calls 76983->76981 76984 4f9975 76985 4f99b7 GetStdHandle GetConsoleScreenBufferInfo 76984->76985 76986 4f99ce 76984->76986 76985->76986 76987 4c1e0c ctype 2 API calls 76986->76987 76988 4f99dc 76987->76988 77189 4e7b48 76988->77189 76990 4f9a29 77206 4fb96d _CxxThrowException 76990->77206 76992 4f9a30 77207 4e7018 8 API calls 2 library calls 76992->77207 76994 4f9a7c 77208 4eddb5 6 API calls 2 library calls 76994->77208 76996 4f9a66 _CxxThrowException 76996->76994 76997 4f9aa6 76998 4f9aaa _CxxThrowException 76997->76998 77008 4f9ac0 76997->77008 76998->77008 76999 4f9a37 76999->76994 76999->76996 77000 4f9b3a 77212 4c1fa0 fputc 77000->77212 77003 4f9bfa _CxxThrowException 77061 4f9be6 77003->77061 77004 4f9b63 fputs 77213 4c1fa0 fputc 77004->77213 77007 4f9b79 strlen strlen 77009 4f9baa fputs fputc 77007->77009 77010 4f9e25 77007->77010 77008->77000 77008->77003 77209 4e7dd7 7 API calls 2 library calls 77008->77209 77210 4fc077 6 API calls 77008->77210 77211 4c1e40 free 77008->77211 77009->77061 77221 4c1fa0 fputc 77010->77221 77013 4f9e2c fputs 77222 4c1fa0 fputc 77013->77222 77015 4f9f0c 77227 4c1fa0 fputc 77015->77227 77019 4fb67d 12 API calls 77019->77061 77020 4f9f13 fputs 77024 4c2e04 2 API calls 77024->77061 77039 4f9d2a fputs 77218 4c21d8 fputs 77039->77218 77043 4f9d5f fputs 77043->77061 77044 4c31e5 malloc _CxxThrowException free _CxxThrowException 77044->77061 77048 4f9e42 77048->77015 77056 4f9ee0 fputs 77048->77056 77223 4fb650 fputc fputs fputs fputc 77048->77223 77224 4c21d8 fputs 77048->77224 77225 4fbde4 fputc fputs 77048->77225 77226 4c1fa0 fputc 77056->77226 77061->77009 77061->77010 77061->77019 77061->77024 77061->77039 77061->77043 77061->77044 77214 4c21d8 fputs 77061->77214 77215 4c315e malloc _CxxThrowException free _CxxThrowException 77061->77215 77216 4c3221 malloc _CxxThrowException free _CxxThrowException 77061->77216 77217 4c1089 malloc _CxxThrowException free _CxxThrowException 77061->77217 77219 4c1fa0 fputc 77061->77219 77220 4c1e40 free 77061->77220 77063 4fb5bc fputs 77062->77063 77064 4f994a 77062->77064 77240 4c1fa0 fputc 77063->77240 77064->76981 77064->76983 77066 4fb5d5 77066->77064 77067 4fb5d9 fputs 77066->77067 77067->77064 77069 4d1f6c 77068->77069 77070 4d1f4f 77068->77070 77241 4d29eb 77069->77241 77273 4e1d73 5 API calls __EH_prolog 77070->77273 77073 4d1f5e _CxxThrowException 77073->77069 77075 4d1fa3 77077 4d1fbc 77075->77077 77079 4c4fc0 5 API calls 77075->77079 77080 4d1fda 77077->77080 77081 4c2fec 3 API calls 77077->77081 77078 4d1f95 _CxxThrowException 77078->77075 77079->77077 77082 4d2022 wcscmp 77080->77082 77090 4d2036 77080->77090 77081->77080 77083 4d20af 77082->77083 77082->77090 77275 4e1d73 5 API calls __EH_prolog 77083->77275 77085 4d20be _CxxThrowException 77085->77090 77086 4d20a9 77276 4d393c 6 API calls 2 library calls 77086->77276 77088 4d20f4 77277 4d393c 6 API calls 2 library calls 77088->77277 77090->77086 77094 4d219a 77090->77094 77091 4d2108 77092 4d2135 77091->77092 77278 4d2e04 62 API calls 2 library calls 77091->77278 77099 4d2159 77092->77099 77279 4d2e04 62 API calls 2 library calls 77092->77279 77280 4e1d73 5 API calls __EH_prolog 77094->77280 77097 4d21a9 _CxxThrowException 77097->77099 77098 4d227f 77246 4d2aa9 77098->77246 77099->77098 77100 4d2245 77099->77100 77281 4e1d73 5 API calls __EH_prolog 77099->77281 77103 4c2fec 3 API calls 77100->77103 77106 4d225c 77103->77106 77105 4d2237 _CxxThrowException 77105->77100 77106->77098 77282 4e1d73 5 API calls __EH_prolog 77106->77282 77107 4d22d9 77108 4d2302 77107->77108 77110 4c2fec 3 API calls 77107->77110 77111 4c4fc0 5 API calls 77108->77111 77109 4c2fec 3 API calls 77109->77107 77110->77108 77113 4d2315 77111->77113 77264 4d384c 77113->77264 77114 4d2271 _CxxThrowException 77114->77098 77116 4d2322 77118 4d26c6 77116->77118 77125 4d23a1 77116->77125 77117 4d28ce 77119 4d293a 77117->77119 77136 4d28d5 77117->77136 77118->77117 77120 4d2700 77118->77120 77295 4e1d73 5 API calls __EH_prolog 77118->77295 77123 4d293f 77119->77123 77124 4d29a5 77119->77124 77296 4d32ec 14 API calls 2 library calls 77120->77296 77303 4c4eec 16 API calls 77123->77303 77127 4d29ae _CxxThrowException 77124->77127 77185 4d264d 77124->77185 77130 4d247a wcscmp 77125->77130 77143 4d248e 77125->77143 77126 4d26f2 _CxxThrowException 77126->77120 77128 4d2713 77132 4d3a29 5 API calls 77128->77132 77135 4d24cf wcscmp 77130->77135 77130->77143 77137 4d2722 77132->77137 77133 4d294c 77304 4c4ea1 8 API calls 77133->77304 77141 4d24ef wcscmp 77135->77141 77135->77143 77136->77185 77302 4e1d73 5 API calls __EH_prolog 77136->77302 77148 4d27cf 77137->77148 77150 4c2fec 3 API calls 77137->77150 77138 4d2953 77144 4c4fc0 5 API calls 77138->77144 77142 4d250f 77141->77142 77141->77143 77286 4e1d73 5 API calls __EH_prolog 77142->77286 77149 4d252c 77143->77149 77283 4c4eec 16 API calls 77143->77283 77284 4c4ea1 8 API calls 77143->77284 77285 4e1d73 5 API calls __EH_prolog 77143->77285 77144->77185 77145 4d2920 _CxxThrowException 77145->77185 77147 4d251e _CxxThrowException 77147->77149 77151 4d2880 77148->77151 77155 4d281f 77148->77155 77298 4e1d73 5 API calls __EH_prolog 77148->77298 77152 4d2569 77149->77152 77287 4d2e04 62 API calls 2 library calls 77149->77287 77153 4d27a9 77150->77153 77156 4d289b 77151->77156 77159 4c2fec 3 API calls 77151->77159 77158 4d258c 77152->77158 77288 4d2e04 62 API calls 2 library calls 77152->77288 77153->77148 77297 4c3563 memmove 77153->77297 77155->77151 77162 4d2847 77155->77162 77299 4e1d73 5 API calls __EH_prolog 77155->77299 77156->77185 77301 4e1d73 5 API calls __EH_prolog 77156->77301 77164 4d25a4 77158->77164 77289 4d2a61 malloc _CxxThrowException free _CxxThrowException memcpy 77158->77289 77159->77156 77160 4d24c1 _CxxThrowException 77160->77135 77162->77151 77300 4e1d73 5 API calls __EH_prolog 77162->77300 77290 4c4eec 16 API calls 77164->77290 77165 4d2811 _CxxThrowException 77165->77155 77171 4d28c0 _CxxThrowException 77171->77117 77172 4d2839 _CxxThrowException 77172->77162 77174 4d25ad 77291 4e1b07 49 API calls 77174->77291 77176 4d2872 _CxxThrowException 77176->77151 77177 4d25b4 77292 4c4ea1 8 API calls 77177->77292 77179 4d25bb 77180 4c2fec 3 API calls 77179->77180 77182 4d25d6 77179->77182 77180->77182 77181 4d261f 77183 4c2fec 3 API calls 77181->77183 77181->77185 77182->77181 77182->77185 77293 4e1d73 5 API calls __EH_prolog 77182->77293 77186 4d263f 77183->77186 77185->76984 77294 4c859e malloc _CxxThrowException free _CxxThrowException 77186->77294 77187 4d2611 _CxxThrowException 77187->77181 77190 4e7b52 __EH_prolog 77189->77190 77314 4e7eec 77190->77314 77192 4e7ca4 77192->76990 77194 4c2e04 malloc _CxxThrowException 77197 4e7b63 77194->77197 77195 4c30ea malloc _CxxThrowException free 77195->77197 77197->77192 77197->77194 77197->77195 77198 4c1e40 free ctype 77197->77198 77200 4d12a5 5 API calls 77197->77200 77201 5004d2 5 API calls 77197->77201 77202 4c429a 3 API calls 77197->77202 77204 4e7c61 memcpy 77197->77204 77205 4e7193 free 77197->77205 77319 4e70ea 77197->77319 77322 4e7a40 77197->77322 77340 4e7cc3 6 API calls 77197->77340 77341 4e74eb malloc _CxxThrowException memcpy __EH_prolog ctype 77197->77341 77198->77197 77200->77197 77201->77197 77202->77197 77204->77197 77205->77197 77206->76992 77207->76999 77208->76997 77209->77008 77210->77008 77211->77008 77212->77004 77213->77007 77214->77061 77215->77061 77216->77061 77217->77061 77218->77061 77219->77061 77220->77061 77221->77013 77222->77048 77223->77048 77224->77048 77225->77048 77226->77048 77227->77020 77240->77066 77242 4c2f1c 2 API calls 77241->77242 77244 4d29fe 77242->77244 77305 4c1e40 free 77244->77305 77245 4d1f7e 77245->77075 77274 4e1d73 5 API calls __EH_prolog 77245->77274 77247 4d2ab3 __EH_prolog 77246->77247 77248 4c2e8a 2 API calls 77247->77248 77258 4d2b0f 77247->77258 77250 4d2af4 77248->77250 77249 4d22ad 77249->77107 77249->77109 77306 4d2a61 malloc _CxxThrowException free _CxxThrowException memcpy 77250->77306 77252 4d2bc6 77312 4e1d73 5 API calls __EH_prolog 77252->77312 77253 4d2b04 77307 4c1e40 free 77253->77307 77256 4d2bd6 _CxxThrowException 77256->77249 77258->77249 77258->77252 77261 4d2b9f 77258->77261 77308 4d2cb4 48 API calls 2 library calls 77258->77308 77309 4d2bf5 8 API calls __EH_prolog 77258->77309 77310 4d2a61 malloc _CxxThrowException free _CxxThrowException memcpy 77258->77310 77261->77249 77311 4e1d73 5 API calls __EH_prolog 77261->77311 77263 4d2bb8 _CxxThrowException 77263->77252 77267 4d3856 __EH_prolog 77264->77267 77265 4c2e04 malloc _CxxThrowException 77265->77267 77266 4c2fec 3 API calls 77266->77267 77267->77265 77267->77266 77268 5004d2 5 API calls 77267->77268 77269 4c2f88 3 API calls 77267->77269 77271 4c1e40 free ctype 77267->77271 77272 4d3917 77267->77272 77313 4d3b76 malloc _CxxThrowException __EH_prolog ctype 77267->77313 77268->77267 77269->77267 77271->77267 77272->77116 77273->77073 77274->77078 77275->77085 77276->77088 77277->77091 77278->77092 77279->77099 77280->77097 77281->77105 77282->77114 77283->77143 77284->77143 77285->77160 77286->77147 77287->77152 77288->77158 77289->77164 77290->77174 77291->77177 77292->77179 77293->77187 77294->77185 77295->77126 77296->77128 77297->77148 77298->77165 77299->77172 77300->77176 77301->77171 77302->77145 77303->77133 77304->77138 77305->77245 77306->77253 77307->77258 77308->77258 77309->77258 77310->77258 77311->77263 77312->77256 77313->77267 77315 4e7f14 77314->77315 77317 4e7ef7 77314->77317 77315->77197 77316 4e7193 free 77316->77317 77317->77315 77317->77316 77342 4c1e40 free 77317->77342 77320 4c2e04 2 API calls 77319->77320 77321 4e7103 77320->77321 77321->77197 77323 4e7a4a __EH_prolog 77322->77323 77343 4c361b 6 API calls 2 library calls 77323->77343 77325 4e7a78 77344 4c361b 6 API calls 2 library calls 77325->77344 77327 4e7a83 77328 4e7b20 77327->77328 77332 4c2e04 malloc _CxxThrowException 77327->77332 77334 4c2fec 3 API calls 77327->77334 77335 5004d2 5 API calls 77327->77335 77336 4c2fec 3 API calls 77327->77336 77339 4c1e40 free ctype 77327->77339 77345 4e7955 malloc _CxxThrowException __EH_prolog ctype 77327->77345 77346 4f2db9 free ctype 77328->77346 77330 4e7b2b 77347 4f2db9 free ctype 77330->77347 77332->77327 77333 4e7b37 77333->77197 77334->77327 77335->77327 77337 4e7aca wcscmp 77336->77337 77337->77327 77339->77327 77340->77197 77341->77197 77342->77317 77343->77325 77344->77327 77345->77327 77346->77330 77347->77333 77348 4ecefb 77349 4ed0cc 77348->77349 77350 4ecf03 77348->77350 77350->77349 77395 4ecae9 VariantClear 77350->77395 77352 4ecf59 77352->77349 77396 4ecae9 VariantClear 77352->77396 77354 4ecf71 77354->77349 77397 4ecae9 VariantClear 77354->77397 77356 4ecf87 77356->77349 77398 4ecae9 VariantClear 77356->77398 77358 4ecf9d 77358->77349 77399 4ecae9 VariantClear 77358->77399 77360 4ecfb3 77360->77349 77400 4ecae9 VariantClear 77360->77400 77362 4ecfc9 77362->77349 77401 4c4504 malloc _CxxThrowException 77362->77401 77364 4ecfdc 77365 4c2e04 2 API calls 77364->77365 77367 4ecfe7 77365->77367 77366 4ed009 77369 4ed080 77366->77369 77370 4ed030 77366->77370 77394 4ed07b 77366->77394 77367->77366 77368 4c2f88 3 API calls 77367->77368 77368->77366 77406 4e7a0c CharUpperW 77369->77406 77373 4c2e04 2 API calls 77370->77373 77377 4ed038 77373->77377 77374 4ed0c4 77410 4c1e40 free 77374->77410 77376 4ed08b 77407 4dfdbc 4 API calls 2 library calls 77376->77407 77378 4c2e04 2 API calls 77377->77378 77380 4ed046 77378->77380 77402 4dfdbc 4 API calls 2 library calls 77380->77402 77381 4ed0a7 77383 4c2fec 3 API calls 77381->77383 77385 4ed0b3 77383->77385 77384 4ed057 77386 4c2fec 3 API calls 77384->77386 77408 4c1e40 free 77385->77408 77388 4ed063 77386->77388 77403 4c1e40 free 77388->77403 77390 4ed06b 77404 4c1e40 free 77390->77404 77392 4ed073 77405 4c1e40 free 77392->77405 77409 4c1e40 free 77394->77409 77395->77352 77396->77354 77397->77356 77398->77358 77399->77360 77400->77362 77401->77364 77402->77384 77403->77390 77404->77392 77405->77394 77406->77376 77407->77381 77408->77394 77409->77374 77410->77349 77411 557da0 WaitForSingleObject 77412 557dc1 77411->77412 77413 557dbb GetLastError 77411->77413 77414 557dce CloseHandle 77412->77414 77416 557ddf 77412->77416 77413->77412 77415 557dd9 GetLastError 77414->77415 77414->77416 77415->77416 77417 50bf67 77418 50bf74 77417->77418 77422 50bf85 77417->77422 77418->77422 77423 50bf8c 77418->77423 77424 50bf96 __EH_prolog 77423->77424 77440 50d144 77424->77440 77428 50bfd0 77447 4c1e40 free 77428->77447 77430 50bfdb 77448 4c1e40 free 77430->77448 77432 50bfe6 77449 50c072 free ctype 77432->77449 77434 50bff4 77450 4daafa free VariantClear ctype 77434->77450 77436 50c023 77451 4e73d2 free VariantClear __EH_prolog ctype 77436->77451 77438 50bf7f 77439 4c1e40 free 77438->77439 77439->77422 77441 50d14e __EH_prolog 77440->77441 77442 50d1b7 free 77441->77442 77443 50d180 77442->77443 77452 508e04 memset 77443->77452 77445 50bfc5 77446 4c1e40 free 77445->77446 77446->77428 77447->77430 77448->77432 77449->77434 77450->77436 77451->77438 77452->77445 77453 546ba3 VirtualFree 77454 4fadb7 77455 4fadc1 __EH_prolog 77454->77455 77456 4c26dd 2 API calls 77455->77456 77457 4fae1d 77456->77457 77458 4c2e04 2 API calls 77457->77458 77459 4fae38 77458->77459 77460 4c2e04 2 API calls 77459->77460 77461 4fae44 77460->77461 77462 4c2e04 2 API calls 77461->77462 77463 4fae68 77462->77463 77464 4fad29 2 API calls 77463->77464 77465 4fae85 77464->77465 77470 4faf2d 77465->77470 77467 4fae94 77468 4c2e04 2 API calls 77467->77468 77469 4faeb2 77468->77469 77471 4faf37 __EH_prolog 77470->77471 77482 4d34f4 malloc _CxxThrowException __EH_prolog 77471->77482 77473 4fafac 77474 4c2e04 2 API calls 77473->77474 77475 4fafbb 77474->77475 77476 4c2e04 2 API calls 77475->77476 77477 4fafca 77476->77477 77478 4c2e04 2 API calls 77477->77478 77479 4fafd9 77478->77479 77480 4c2e04 2 API calls 77479->77480 77481 4fafe8 77480->77481 77481->77467 77482->77473 77483 4f5475 77484 4c2fec 3 API calls 77483->77484 77485 4f54b4 77484->77485 77486 4fc911 24 API calls 77485->77486 77487 4f54bb 77486->77487

                                          Executed Functions

                                          Function 005081EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 005081F1
                                            • Part of subcall function 0050F749: _CxxThrowException.MSVCRT(?,00574A58), ref: 0050F792
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: ExceptionH_prologThrow
                                          • String ID:
                                          • API String ID: 461045715-3916222277
                                          • Opcode ID: 4b492abb1d095f01ff25dea68906778ce5cd71047c8d35f89131fa449613c943
                                          • Instruction ID: 6a523eb89e9dee1a5dea8934ae3874376999f439313be41b511bdb0b7a696483
                                          • Opcode Fuzzy Hash: 4b492abb1d095f01ff25dea68906778ce5cd71047c8d35f89131fa449613c943
                                          • Instruction Fuzzy Hash: E7928C3190024ADFDF14DFA8C884FAEBFB1BF59304F244499E885AB292CB759D45CB61
                                          Function 004C6868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004C686D
                                            • Part of subcall function 004C6848: FindClose.KERNELBASE(00000000,?,004C6880), ref: 004C6853
                                          • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 004C68A5
                                          • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 004C68DE
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: Find$FileFirst$CloseH_prolog
                                          • String ID:
                                          • API String ID: 3371352514-0
                                          • Opcode ID: dda7bf04ea2f9984c2b6b1a8053c75e0df62a3b2b76c04c60ae9dcee00b7304b
                                          • Instruction ID: 5f8e96cc6546fe5aa57687a4f3635216dbebe3b813b2ca6c6d51727ecbeb6e08
                                          • Opcode Fuzzy Hash: dda7bf04ea2f9984c2b6b1a8053c75e0df62a3b2b76c04c60ae9dcee00b7304b
                                          • Instruction Fuzzy Hash: E511D039400209DBCB50FF64C851EFEBB78EF51324F11822EE9A057292DB398E86DB54
                                          Function 004FA013 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 690COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 4fa013-4fa01a 1 4fa37a-4fa544 call 5004d2 call 4c1524 call 5004d2 call 4c1524 call 4c1e0c 0->1 2 4fa020-4fa02d call 4d1ac8 0->2 64 4fa546-4fa54f call 4fb0fa 1->64 65 4fa551 1->65 8 4fa22e-4fa235 2->8 9 4fa033-4fa03a 2->9 10 4fa23b-4fa24d call 4fb4f6 8->10 11 4fa367-4fa375 call 4fb55f 8->11 13 4fa03c-4fa042 9->13 14 4fa054-4fa089 call 4f92d3 9->14 26 4fa24f-4fa253 10->26 27 4fa259-4fa2fb call 4e7ebb call 4c27bb call 4c26dd call 4e3d70 call 4fad99 call 4c27bb 10->27 25 4fac23-4fac2a 11->25 13->14 17 4fa044-4fa04f call 4c30ea 13->17 29 4fa08b-4fa091 14->29 30 4fa099 14->30 17->14 35 4fac2c-4fac33 25->35 36 4fac3a-4fac66 call 4fb96d call 4c1e40 call 4e3247 25->36 26->27 92 4fa2fd 27->92 93 4fa303-4fa362 call 4fb6ab call 4f2db9 call 4c1e40 * 2 call 4fbff8 27->93 29->30 33 4fa093-4fa097 29->33 34 4fa09d-4fa0de call 4c2fec call 4fb369 30->34 33->34 55 4fa0ea-4fa0fa 34->55 56 4fa0e0-4fa0e4 34->56 35->36 37 4fac35 35->37 70 4fac6e-4facb5 call 4c1e40 call 4c11c2 call 4fbe0c call 4f2db9 36->70 71 4fac68-4fac6a 36->71 43 4fac35 call 4fb988 37->43 43->36 60 4fa10d 55->60 61 4fa0fc-4fa102 55->61 56->55 69 4fa114-4fa19e call 4c2fec call 4e7ebb call 4fad99 60->69 61->60 68 4fa104-4fa10b 61->68 67 4fa553-4fa55c 64->67 65->67 74 4fa55e-4fa560 67->74 75 4fa564-4fa5c1 call 4c2fec call 4fb277 67->75 68->69 104 4fa1a2 call 4ef8e0 69->104 71->70 74->75 98 4fa5cd-4fa652 call 4fad06 call 4fbf3e call 4d3a29 call 4c2e04 call 4e4345 75->98 99 4fa5c3-4fa5c7 75->99 92->93 93->25 136 4fa676-4fa6c8 call 4e2096 98->136 137 4fa654-4fa671 call 4e375c call 4fb96d 98->137 99->98 105 4fa1a7-4fa1b1 104->105 109 4fa1b3-4fa1bb call 4fc7d7 105->109 110 4fa1c0-4fa1c9 105->110 109->110 116 4fa1cb 110->116 117 4fa1d1-4fa229 call 4fb6ab call 4f2db9 call 4c1e40 call 4fbfa4 call 4f940b 110->117 116->117 117->25 143 4fa6cd-4fa6d6 136->143 137->136 146 4fa6d8-4fa6dd call 4fc7d7 143->146 147 4fa6e2-4fa6e5 143->147 146->147 149 4fa72e-4fa73a 147->149 150 4fa6e7-4fa6ee 147->150 154 4fa79e-4fa7aa 149->154 155 4fa73c-4fa74a call 4c1fa0 149->155 152 4fa722-4fa725 150->152 153 4fa6f0-4fa71d call 4c1fa0 fputs call 4c1fa0 call 4c1fb3 call 4c1fa0 150->153 152->149 159 4fa727 152->159 153->152 157 4fa7ac-4fa7b2 154->157 158 4fa7d9-4fa7e5 154->158 166 4fa74c-4fa753 155->166 167 4fa755-4fa799 fputs call 4c2201 call 4c1fa0 fputs call 4c2201 call 4c1fa0 155->167 157->158 164 4fa7b4-4fa7d4 fputs call 4c2201 call 4c1fa0 157->164 161 4fa818-4fa81a 158->161 162 4fa7e7-4fa7ed 158->162 159->149 168 4fa899-4fa8a5 161->168 171 4fa81c-4fa82b 161->171 162->168 169 4fa7f3-4fa813 fputs call 4c2201 call 4c1fa0 162->169 164->158 166->154 166->167 167->154 175 4fa8e9-4fa8ed 168->175 176 4fa8a7-4fa8ad 168->176 169->161 178 4fa82d-4fa84c fputs call 4c2201 call 4c1fa0 171->178 179 4fa851-4fa85d 171->179 183 4fa8ef 175->183 188 4fa8f6-4fa8f8 175->188 176->183 184 4fa8af-4fa8c2 call 4c1fa0 176->184 178->179 179->168 187 4fa85f-4fa872 call 4c1fa0 179->187 183->188 184->183 210 4fa8c4-4fa8e4 fputs call 4c2201 call 4c1fa0 184->210 187->168 211 4fa874-4fa894 fputs call 4c2201 call 4c1fa0 187->211 196 4faaaf-4faaeb call 4e43b3 call 4c1e40 call 4fc104 call 4fad82 188->196 197 4fa8fe-4fa90a 188->197 247 4fac0b-4fac1e call 4f2db9 * 2 196->247 248 4faaf1-4faaf7 196->248 198 4faa73-4faa89 call 4c1fa0 197->198 199 4fa910-4fa91f 197->199 198->196 223 4faa8b-4faaaa fputs call 4c2201 call 4c1fa0 198->223 199->198 207 4fa925-4fa929 199->207 207->196 214 4fa92f-4fa93d 207->214 210->175 211->168 220 4fa93f-4fa964 fputs call 4c2201 call 4c1fa0 214->220 221 4fa96a-4fa971 214->221 220->221 228 4fa98f-4fa9a8 fputs call 4c2201 221->228 229 4fa973-4fa97a 221->229 223->196 241 4fa9ad-4fa9bd call 4c1fa0 228->241 229->228 234 4fa97c-4fa982 229->234 234->228 239 4fa984-4fa98d 234->239 239->228 244 4faa06-4faa1f fputs call 4c2201 239->244 241->244 250 4fa9bf-4faa01 fputs call 4c2201 call 4c1fa0 fputs call 4c2201 call 4c1fa0 241->250 252 4faa24-4faa29 call 4c1fa0 244->252 247->25 248->247 250->244 259 4faa2e-4faa4b fputs call 4c2201 252->259 263 4faa50-4faa5b call 4c1fa0 259->263 263->196 268 4faa5d-4faa71 call 4c1fa0 call 4f710e 263->268 268->196
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$ExceptionThrow
                                          • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&X$p&X$N
                                          • API String ID: 3665150552-3881641262
                                          • Opcode ID: 4c518637481bb89a5dfabf79361d695622c09326a54d03d27c3feda2726aa16a
                                          • Instruction ID: 4ce4d207c3ef0dd0d225dcde962b9336f8c04f0fff4fb5fc5378d2f7ff3165f5
                                          • Opcode Fuzzy Hash: 4c518637481bb89a5dfabf79361d695622c09326a54d03d27c3feda2726aa16a
                                          • Instruction Fuzzy Hash: D9527C7090025CDFCF26EBA5C985BEEBBB5AF44308F04409FE54963291DB786A84DF19
                                          Function 004FA42C Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 503COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 274 4fa42c-4fa433 275 4fa449-4fa4df call 4f545d call 4c2e04 call 4e1858 call 4c1e40 274->275 276 4fa435-4fa444 fputs call 4c1fa0 274->276 286 4fa4ee-4fa4f1 275->286 287 4fa4e1-4fa4e9 call 4fc7d7 275->287 276->275 289 4fa50e-4fa520 call 4fc73e 286->289 290 4fa4f3-4fa4fa 286->290 287->286 295 4fac0b-4fac2a call 4f2db9 * 2 289->295 296 4fa526-4fa544 call 4c1e0c 289->296 290->289 291 4fa4fc-4fa509 call 4f57fb 290->291 291->289 308 4fac2c-4fac33 295->308 309 4fac3a-4fac66 call 4fb96d call 4c1e40 call 4e3247 295->309 304 4fa546-4fa54f call 4fb0fa 296->304 305 4fa551 296->305 307 4fa553-4fa55c 304->307 305->307 313 4fa55e-4fa560 307->313 314 4fa564-4fa5c1 call 4c2fec call 4fb277 307->314 308->309 310 4fac35 call 4fb988 308->310 327 4fac6e-4facb5 call 4c1e40 call 4c11c2 call 4fbe0c call 4f2db9 309->327 328 4fac68-4fac6a 309->328 310->309 313->314 325 4fa5cd-4fa652 call 4fad06 call 4fbf3e call 4d3a29 call 4c2e04 call 4e4345 314->325 326 4fa5c3-4fa5c7 314->326 348 4fa676-4fa6d6 call 4e2096 325->348 349 4fa654-4fa671 call 4e375c call 4fb96d 325->349 326->325 328->327 355 4fa6d8-4fa6dd call 4fc7d7 348->355 356 4fa6e2-4fa6e5 348->356 349->348 355->356 357 4fa72e-4fa73a 356->357 358 4fa6e7-4fa6ee 356->358 362 4fa79e-4fa7aa 357->362 363 4fa73c-4fa74a call 4c1fa0 357->363 360 4fa722-4fa725 358->360 361 4fa6f0-4fa71d call 4c1fa0 fputs call 4c1fa0 call 4c1fb3 call 4c1fa0 358->361 360->357 367 4fa727 360->367 361->360 365 4fa7ac-4fa7b2 362->365 366 4fa7d9-4fa7e5 362->366 374 4fa74c-4fa753 363->374 375 4fa755-4fa799 fputs call 4c2201 call 4c1fa0 fputs call 4c2201 call 4c1fa0 363->375 365->366 372 4fa7b4-4fa7d4 fputs call 4c2201 call 4c1fa0 365->372 369 4fa818-4fa81a 366->369 370 4fa7e7-4fa7ed 366->370 367->357 376 4fa899-4fa8a5 369->376 379 4fa81c-4fa82b 369->379 370->376 377 4fa7f3-4fa813 fputs call 4c2201 call 4c1fa0 370->377 372->366 374->362 374->375 375->362 383 4fa8e9-4fa8ed 376->383 384 4fa8a7-4fa8ad 376->384 377->369 386 4fa82d-4fa84c fputs call 4c2201 call 4c1fa0 379->386 387 4fa851-4fa85d 379->387 391 4fa8ef 383->391 396 4fa8f6-4fa8f8 383->396 384->391 392 4fa8af-4fa8c2 call 4c1fa0 384->392 386->387 387->376 395 4fa85f-4fa872 call 4c1fa0 387->395 391->396 392->391 418 4fa8c4-4fa8e4 fputs call 4c2201 call 4c1fa0 392->418 395->376 419 4fa874-4fa894 fputs call 4c2201 call 4c1fa0 395->419 404 4faaaf-4faaeb call 4e43b3 call 4c1e40 call 4fc104 call 4fad82 396->404 405 4fa8fe-4fa90a 396->405 404->295 455 4faaf1-4faaf7 404->455 406 4faa73-4faa89 call 4c1fa0 405->406 407 4fa910-4fa91f 405->407 406->404 431 4faa8b-4faaaa fputs call 4c2201 call 4c1fa0 406->431 407->406 415 4fa925-4fa929 407->415 415->404 422 4fa92f-4fa93d 415->422 418->383 419->376 428 4fa93f-4fa964 fputs call 4c2201 call 4c1fa0 422->428 429 4fa96a-4fa971 422->429 428->429 436 4fa98f-4fa9a8 fputs call 4c2201 429->436 437 4fa973-4fa97a 429->437 431->404 449 4fa9ad-4fa9bd call 4c1fa0 436->449 437->436 442 4fa97c-4fa982 437->442 442->436 447 4fa984-4fa98d 442->447 447->436 452 4faa06-4faa4b fputs call 4c2201 call 4c1fa0 fputs call 4c2201 447->452 449->452 457 4fa9bf-4faa01 fputs call 4c2201 call 4c1fa0 fputs call 4c2201 call 4c1fa0 449->457 467 4faa50-4faa5b call 4c1fa0 452->467 455->295 457->452 467->404 472 4faa5d-4faa71 call 4c1fa0 call 4f710e 467->472 472->404
                                          APIs
                                          • fputs.MSVCRT(Scanning the drive for archives:), ref: 004FA43E
                                            • Part of subcall function 004C1FA0: fputc.MSVCRT ref: 004C1FA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputcfputs
                                          • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&X$p&X$!"$N
                                          • API String ID: 269475090-560894286
                                          • Opcode ID: e63d24b0a8314251885dcb336b3c9ab8500c40da073711712458cb8cc0744271
                                          • Instruction ID: 54473f4ff6b71737e1cf22bd948c0a23ef5de01bbb8b1f4cf897454ab03ed6a5
                                          • Opcode Fuzzy Hash: e63d24b0a8314251885dcb336b3c9ab8500c40da073711712458cb8cc0744271
                                          • Instruction Fuzzy Hash: 49229C30900248DFDF26EBA5C945BEEBBB1AF44304F10409FE54A632A1DB786E94DF19
                                          Function 004F8012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 777 4f8012-4f8032 call 55fb10 780 4f8038-4f806c fputs call 4f8341 777->780 781 4f8285 777->781 785 4f806e-4f8071 780->785 786 4f80c8-4f80cd 780->786 782 4f8287-4f8295 781->782 789 4f808b-4f808d 785->789 790 4f8073-4f8089 fputs call 4c1fa0 785->790 787 4f80cf-4f80d4 786->787 788 4f80d6-4f80df 786->788 794 4f80e2-4f8110 call 4f8341 call 4f8622 787->794 788->794 792 4f808f-4f8094 789->792 793 4f8096-4f809f 789->793 790->786 797 4f80a2-4f80c7 call 4c2e47 call 4f85c6 call 4c1e40 792->797 793->797 804 4f811e-4f812f call 4f8565 794->804 805 4f8112-4f8119 call 4f831f 794->805 797->786 804->782 812 4f8135-4f813f 804->812 805->804 813 4f814d-4f815b 812->813 814 4f8141-4f8148 call 4f82bb 812->814 813->782 817 4f8161-4f8164 813->817 814->813 818 4f81b6-4f81c0 817->818 819 4f8166-4f8186 817->819 820 4f8276-4f827f 818->820 821 4f81c6-4f81e1 fputs 818->821 823 4f818c-4f8196 call 4f8565 819->823 824 4f8298-4f829d 819->824 820->780 820->781 821->820 827 4f81e7-4f81fb 821->827 829 4f819b-4f819d 823->829 828 4f82b1-4f82b9 SysFreeString 824->828 830 4f81fd-4f821f 827->830 831 4f8273 827->831 828->782 829->824 832 4f81a3-4f81b4 SysFreeString 829->832 834 4f829f-4f82a1 830->834 835 4f8221-4f8245 830->835 831->820 832->818 832->819 836 4f82ae 834->836 838 4f8247-4f8271 call 4f84a7 call 4c965d SysFreeString 835->838 839 4f82a3-4f82ab call 4c965d 835->839 836->828 838->830 838->831 839->836
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004F8017
                                          • fputs.MSVCRT ref: 004F804D
                                            • Part of subcall function 004F8341: __EH_prolog.LIBCMT ref: 004F8346
                                            • Part of subcall function 004F8341: fputs.MSVCRT ref: 004F835B
                                            • Part of subcall function 004F8341: fputs.MSVCRT ref: 004F8364
                                          • fputs.MSVCRT ref: 004F807A
                                            • Part of subcall function 004C1FA0: fputc.MSVCRT ref: 004C1FA7
                                            • Part of subcall function 004C965D: VariantClear.OLEAUT32(?), ref: 004C967F
                                          • SysFreeString.OLEAUT32(00000000), ref: 004F81AA
                                          • fputs.MSVCRT ref: 004F81CD
                                          • SysFreeString.OLEAUT32(00000000), ref: 004F8267
                                          • SysFreeString.OLEAUT32(00000000), ref: 004F82B1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                          • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                          • API String ID: 2889736305-3797937567
                                          • Opcode ID: 9988dda04960eccfde5986d8410efc508b29c084f422156f84c6371ea2ba1338
                                          • Instruction ID: 2be3a54e915dbae54806b8dd35378575118935093f8f6b5fd094d46c2aafd529
                                          • Opcode Fuzzy Hash: 9988dda04960eccfde5986d8410efc508b29c084f422156f84c6371ea2ba1338
                                          • Instruction Fuzzy Hash: 3E918931A00609EFCB14DFA4D981EBEB7B5FF58314F20416EE602AB291DB74AD05CB64
                                          Function 004F6766 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 846 4f6766-4f6792 call 55fb10 EnterCriticalSection 849 4f67af-4f67b7 846->849 850 4f6794-4f6799 call 4fc7d7 846->850 852 4f67be-4f67c3 849->852 853 4f67b9 call 4c1f91 849->853 857 4f679e-4f67ac 850->857 855 4f67c9-4f67d5 852->855 856 4f6892-4f68a8 852->856 853->852 858 4f6817-4f682f 855->858 859 4f67d7-4f67dd 855->859 860 4f68ae-4f68b4 856->860 861 4f6941 856->861 857->849 864 4f6873-4f687b 858->864 865 4f6831-4f6842 call 4c1fa0 858->865 859->858 862 4f67df-4f67eb 859->862 860->861 863 4f68ba-4f68c2 860->863 866 4f6943-4f695a 861->866 869 4f67ed 862->869 870 4f67f3-4f6801 862->870 867 4f6933-4f693f call 4fc5cd 863->867 871 4f68c4-4f68e6 call 4c1fa0 fputs 863->871 864->867 868 4f6881-4f6887 864->868 865->864 883 4f6844-4f686c fputs call 4c2201 865->883 867->866 868->867 873 4f688d 868->873 869->870 870->864 875 4f6803-4f6815 fputs 870->875 886 4f68fb-4f6917 call 4d4f2a call 4c1fb3 call 4c1e40 871->886 887 4f68e8-4f68f9 fputs 871->887 879 4f692e call 4c1f91 873->879 881 4f686e call 4c1fa0 875->881 879->867 881->864 883->881 889 4f691c-4f6928 call 4c1fa0 886->889 887->889 889->879
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004F676B
                                          • EnterCriticalSection.KERNEL32(00582938), ref: 004F6781
                                          • fputs.MSVCRT ref: 004F680B
                                          • LeaveCriticalSection.KERNEL32(00582938), ref: 004F6944
                                            • Part of subcall function 004FC7D7: fputs.MSVCRT ref: 004FC840
                                          • fputs.MSVCRT ref: 004F6851
                                            • Part of subcall function 004C2201: fputs.MSVCRT ref: 004C221E
                                          • fputs.MSVCRT ref: 004F68D9
                                          • fputs.MSVCRT ref: 004F68F6
                                            • Part of subcall function 004C1FA0: fputc.MSVCRT ref: 004C1FA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                          • String ID: v$8)X$8)X$Sub items Errors:
                                          • API String ID: 2670240366-3847803350
                                          • Opcode ID: 19fa4ca4e3152e8bc0d94df0657e47614ac9225bdf06298dcfef66c193eb75b1
                                          • Instruction ID: a195125666e16a6acc586a47a11aa043f5bc2607e45aa0d6d69b9cf5eeeec3c5
                                          • Opcode Fuzzy Hash: 19fa4ca4e3152e8bc0d94df0657e47614ac9225bdf06298dcfef66c193eb75b1
                                          • Instruction Fuzzy Hash: FE51CD35501604CFCB24AF65D894EBABBE2FF85314F11442FE29A87262CB786C44CF48
                                          Function 004F6359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 898 4f6359-4f6373 call 55fb10 901 4f639e-4f63af call 4f5a4d 898->901 902 4f6375-4f6385 call 4fc7d7 898->902 907 4f65ee-4f65f1 901->907 908 4f63b5-4f63cd 901->908 902->901 909 4f6387-4f639b 902->909 912 4f6624-4f663c 907->912 913 4f65f3-4f65fb 907->913 910 4f63cf 908->910 911 4f63d2-4f63d4 908->911 909->901 910->911 916 4f63df-4f63e7 911->916 917 4f63d6-4f63d9 911->917 914 4f663e call 4c1f91 912->914 915 4f6643-4f664b 912->915 918 4f66ea call 4fc5cd 913->918 919 4f6601-4f6607 call 4f8012 913->919 914->915 915->918 922 4f6651-4f668f fputs call 4c211a call 4c1fa0 call 4f8685 915->922 923 4f63e9-4f63f2 call 4c1fa0 916->923 924 4f6411-4f6413 916->924 917->916 921 4f64b1-4f64bc call 4f6700 917->921 930 4f66ef-4f66fd 918->930 933 4f660c-4f660e 919->933 942 4f64be-4f64c1 921->942 943 4f64c7-4f64cf 921->943 922->930 986 4f6691-4f6697 922->986 923->924 947 4f63f4-4f640c call 4c210c call 4c1fa0 923->947 931 4f6415-4f641d 924->931 932 4f6442-4f6446 924->932 939 4f641f-4f6425 call 4f6134 931->939 940 4f642a-4f643b 931->940 935 4f6448-4f6450 932->935 936 4f6497-4f649f 932->936 933->930 941 4f6614-4f661f call 4c1fa0 933->941 944 4f647f-4f6490 935->944 945 4f6452-4f647a fputs call 4c1fa0 call 4c1fb3 call 4c1fa0 935->945 936->921 948 4f64a1-4f64ac call 4c1fa0 call 4c1f91 936->948 939->940 940->932 941->918 942->943 952 4f65a2-4f65a6 942->952 953 4f64f9-4f64fb 943->953 954 4f64d1-4f64da call 4c1fa0 943->954 944->936 945->944 947->924 948->921 959 4f65da-4f65e6 952->959 960 4f65a8-4f65b6 952->960 965 4f64fd-4f6505 953->965 966 4f652a-4f652e 953->966 954->953 983 4f64dc-4f64f4 call 4c210c call 4c1fa0 954->983 959->908 974 4f65ec 959->974 968 4f65b8-4f65ca call 4f6244 960->968 969 4f65d3 960->969 977 4f6507-4f650d call 4f6134 965->977 978 4f6512-4f6523 965->978 970 4f657f-4f6587 966->970 971 4f6530-4f6538 966->971 968->969 995 4f65cc-4f65ce call 4c1f91 968->995 969->959 970->952 985 4f6589-4f6595 call 4c1fa0 970->985 981 4f653a-4f6562 fputs call 4c1fa0 call 4c1fb3 call 4c1fa0 971->981 982 4f6567-4f6578 971->982 974->907 977->978 978->966 981->982 982->970 983->953 985->952 1006 4f6597-4f659d call 4c1f91 985->1006 993 4f66df-4f66e5 call 4c1f91 986->993 994 4f6699-4f669f 986->994 993->918 1000 4f66b3-4f66ce call 4d4f2a call 4c1fb3 call 4c1e40 994->1000 1001 4f66a1-4f66b1 fputs 994->1001 995->969 1007 4f66d3-4f66da call 4c1fa0 1000->1007 1001->1007 1006->952 1007->993
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004F635E
                                          • fputs.MSVCRT ref: 004F645F
                                            • Part of subcall function 004FC7D7: fputs.MSVCRT ref: 004FC840
                                          • fputs.MSVCRT ref: 004F6547
                                          • fputs.MSVCRT ref: 004F665F
                                          • fputs.MSVCRT ref: 004F66AE
                                            • Part of subcall function 004C1F91: fflush.MSVCRT ref: 004C1F93
                                            • Part of subcall function 004C1FB3: __EH_prolog.LIBCMT ref: 004C1FB8
                                            • Part of subcall function 004C1E40: free.MSVCRT ref: 004C1E44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$H_prolog$fflushfree
                                          • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                          • API String ID: 1750297421-1898165966
                                          • Opcode ID: 28e7aac4e7e0cd0f8ed115673444c8ab4bcd9cef065bec6c3458b7570cbc3928
                                          • Instruction ID: 8f0e86fa98057320a6ef7fb6fc73e99d58bd9e04d5667a4688b53c3baa003720
                                          • Opcode Fuzzy Hash: 28e7aac4e7e0cd0f8ed115673444c8ab4bcd9cef065bec6c3458b7570cbc3928
                                          • Instruction Fuzzy Hash: BAB18E346017099FDB24EF61C9A1BBBB7E1BF45308F05442FE65A97292CB78A844CF58
                                          Function 004C6C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1563 4c6c72-4c6c8e call 55fb10 1566 4c6c96-4c6c9e 1563->1566 1567 4c6c90-4c6c94 1563->1567 1569 4c6ca6-4c6cae 1566->1569 1570 4c6ca0-4c6ca4 1566->1570 1567->1566 1568 4c6cd3-4c6cdc call 4c8664 1567->1568 1575 4c6d87-4c6d92 call 4c88c6 1568->1575 1576 4c6ce2-4c6d02 call 4c67f0 call 4c2f88 call 4c87df 1568->1576 1569->1568 1572 4c6cb0-4c6cb5 1569->1572 1570->1568 1570->1569 1572->1568 1574 4c6cb7-4c6cce call 4c67f0 call 4c2f88 1572->1574 1591 4c715d-4c715f 1574->1591 1585 4c6f4c-4c6f62 call 4c87fa 1575->1585 1586 4c6d98-4c6d9e 1575->1586 1601 4c6d4a-4c6d61 call 4c7b41 1576->1601 1602 4c6d04-4c6d09 1576->1602 1596 4c6f64-4c6f66 1585->1596 1597 4c6f67-4c6f74 call 4c85e2 1585->1597 1586->1585 1590 4c6da4-4c6dc7 call 4c2e47 * 2 1586->1590 1609 4c6dc9-4c6dcf 1590->1609 1610 4c6dd4-4c6dda 1590->1610 1594 4c7118-4c7126 1591->1594 1596->1597 1611 4c6f76-4c6f7c 1597->1611 1612 4c6fd1-4c6fd8 1597->1612 1614 4c6d67-4c6d6b 1601->1614 1615 4c6d63-4c6d65 1601->1615 1602->1601 1606 4c6d0b-4c6d38 call 4c9252 1602->1606 1606->1601 1631 4c6d3a-4c6d45 1606->1631 1609->1610 1616 4c6ddc-4c6def call 4c2407 1610->1616 1617 4c6df1-4c6df9 call 4c3221 1610->1617 1611->1612 1620 4c6f7e-4c6f8a call 4c6bf5 1611->1620 1618 4c6fda-4c6fde 1612->1618 1619 4c6fe4-4c6feb 1612->1619 1623 4c6d6d-4c6d75 1614->1623 1624 4c6d78 1614->1624 1622 4c6d7a-4c6d82 call 4c764c 1615->1622 1616->1617 1636 4c6dfe-4c6e0b call 4c87df 1616->1636 1617->1636 1618->1619 1627 4c70e5-4c70ea call 4c6868 1618->1627 1628 4c701d-4c7024 call 4c8782 1619->1628 1629 4c6fed-4c6ff7 call 4c6bf5 1619->1629 1620->1627 1644 4c6f90-4c6f93 1620->1644 1648 4c7116 1622->1648 1623->1624 1624->1622 1640 4c70ef-4c70f3 1627->1640 1628->1627 1645 4c702a-4c7035 1628->1645 1629->1627 1650 4c6ffd-4c7000 1629->1650 1631->1591 1655 4c6e0d-4c6e10 1636->1655 1656 4c6e43-4c6e50 call 4c6c72 1636->1656 1646 4c710c 1640->1646 1647 4c70f5-4c70f7 1640->1647 1644->1627 1651 4c6f99-4c6fb6 call 4c67f0 call 4c2f88 1644->1651 1645->1627 1652 4c703b-4c7044 call 4c8578 1645->1652 1654 4c710e-4c7111 call 4c6848 1646->1654 1647->1646 1653 4c70f9-4c7102 1647->1653 1648->1594 1650->1627 1657 4c7006-4c701b call 4c67f0 1650->1657 1682 4c6fb8-4c6fbd 1651->1682 1683 4c6fc2-4c6fc5 call 4c717b 1651->1683 1652->1627 1676 4c704a-4c7054 call 4c717b 1652->1676 1653->1646 1660 4c7104-4c7107 call 4c717b 1653->1660 1654->1648 1663 4c6e1e-4c6e36 call 4c67f0 1655->1663 1664 4c6e12-4c6e15 1655->1664 1677 4c6f3a-4c6f4b call 4c1e40 * 2 1656->1677 1678 4c6e56 1656->1678 1679 4c6fca-4c6fcc 1657->1679 1660->1646 1680 4c6e58-4c6e7e call 4c2f1c call 4c2e04 1663->1680 1681 4c6e38-4c6e41 call 4c2fec 1663->1681 1664->1656 1670 4c6e17-4c6e1c 1664->1670 1670->1656 1670->1663 1692 4c7064-4c7097 call 4c2e47 call 4c1089 * 2 call 4c6868 1676->1692 1693 4c7056-4c705f call 4c2f88 1676->1693 1677->1585 1678->1680 1679->1654 1701 4c6e83-4c6e99 call 4c6bb5 1680->1701 1681->1680 1682->1683 1683->1679 1725 4c70bf-4c70cc call 4c6bf5 1692->1725 1726 4c7099-4c70af wcscmp 1692->1726 1703 4c7155-4c7158 call 4c6848 1693->1703 1710 4c6ecf-4c6ed1 1701->1710 1711 4c6e9b-4c6e9f 1701->1711 1703->1591 1715 4c6f09-4c6f35 call 4c1e40 * 2 call 4c6848 call 4c1e40 * 2 1710->1715 1712 4c6ec7-4c6ec9 SetLastError 1711->1712 1713 4c6ea1-4c6eae call 4c22bf 1711->1713 1712->1710 1722 4c6eb0-4c6ec5 call 4c1e40 call 4c2e04 1713->1722 1723 4c6ed3-4c6ed9 1713->1723 1715->1648 1722->1701 1732 4c6eec-4c6f07 call 4c31e5 1723->1732 1733 4c6edb-4c6ee0 1723->1733 1743 4c70ce-4c70d1 1725->1743 1744 4c7129-4c7133 call 4c67f0 1725->1744 1729 4c70bb 1726->1729 1730 4c70b1-4c70b6 1726->1730 1729->1725 1736 4c7147-4c7154 call 4c2f88 call 4c1e40 1730->1736 1732->1715 1733->1732 1738 4c6ee2-4c6ee8 1733->1738 1736->1703 1738->1732 1749 4c70d8-4c70e4 call 4c1e40 1743->1749 1750 4c70d3-4c70d6 1743->1750 1759 4c713a 1744->1759 1760 4c7135-4c7138 1744->1760 1749->1627 1750->1744 1750->1749 1761 4c7141-4c7144 1759->1761 1760->1761 1761->1736
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004C6C77
                                          • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 004C6EC9
                                            • Part of subcall function 004C6C72: wcscmp.MSVCRT ref: 004C70A5
                                            • Part of subcall function 004C6BF5: __EH_prolog.LIBCMT ref: 004C6BFA
                                            • Part of subcall function 004C6BF5: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 004C6C1A
                                            • Part of subcall function 004C6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 004C6C49
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                          • String ID: :$DATA
                                          • API String ID: 3316598575-2587938151
                                          • Opcode ID: 8214b175a169c195858021dbf745330cbb2cc2472c9496aca3d24907a1db4e79
                                          • Instruction ID: da2162542f158bc7d8994c831f8a0c976b776bfcce24aa283aaed44fc3390ff9
                                          • Opcode Fuzzy Hash: 8214b175a169c195858021dbf745330cbb2cc2472c9496aca3d24907a1db4e79
                                          • Instruction Fuzzy Hash: 8AE136389002099BCFA1EFA5C855FEEB7B1AF15318F10841FE84267392DB7CA945CB19
                                          Function 004F84A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$H_prolog
                                          • String ID: =
                                          • API String ID: 2614055831-2525689732
                                          • Opcode ID: e2d1863407e275b4cb6365f05fdb782758c013476150cd93180008d08db8630d
                                          • Instruction ID: a889983d15818992eb5cdcbc7d949b2e72deaac3f103ad733c3653eb0abafc8d
                                          • Opcode Fuzzy Hash: e2d1863407e275b4cb6365f05fdb782758c013476150cd93180008d08db8630d
                                          • Instruction Fuzzy Hash: 69215B36904118ABCF05EB95D952FEEBBB5EF48318F20002FE401721A2DFB95E45DA99
                                          Function 004F8341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004F8346
                                          • fputs.MSVCRT ref: 004F835B
                                          • fputs.MSVCRT ref: 004F8364
                                            • Part of subcall function 004F83BF: __EH_prolog.LIBCMT ref: 004F83C4
                                            • Part of subcall function 004F83BF: fputs.MSVCRT ref: 004F8401
                                            • Part of subcall function 004F83BF: fputs.MSVCRT ref: 004F8437
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs$H_prolog
                                          • String ID: =
                                          • API String ID: 2614055831-2525689732
                                          • Opcode ID: a5a486924ee18436db8d6a65fa88e33b0d8f1d254ccf702272db3c55bbba40a3
                                          • Instruction ID: 259fecd3148100eb134e97b5dfbef1ca04294b5e68d2cac450e89332b2c7ab55
                                          • Opcode Fuzzy Hash: a5a486924ee18436db8d6a65fa88e33b0d8f1d254ccf702272db3c55bbba40a3
                                          • Instruction Fuzzy Hash: 4801A235A00008ABCB05BBA6C812FEEBF75AF85714F00401FF901972A2CFB94A45DB95
                                          Function 004E2096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004E209B
                                            • Part of subcall function 004C757D: GetLastError.KERNEL32(004CD14C), ref: 004C757D
                                            • Part of subcall function 004E2C6C: __EH_prolog.LIBCMT ref: 004E2C71
                                            • Part of subcall function 004C1E40: free.MSVCRT ref: 004C1E44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$ErrorLastfree
                                          • String ID: Cannot find archive file$The item is a directory
                                          • API String ID: 683690243-1569138187
                                          • Opcode ID: 9cf1df4ec8494154f7443cb1c737625fe57bea1f3283262e716c68f2a25b8125
                                          • Instruction ID: 7c00332bf59244f6179cf600e858e01d5bef320e071c3f6f6b280e067e82228f
                                          • Opcode Fuzzy Hash: 9cf1df4ec8494154f7443cb1c737625fe57bea1f3283262e716c68f2a25b8125
                                          • Instruction Fuzzy Hash: 6C725774D00258DFCB25DFAAC980BDEBBB5AF09304F14409EE859A7352C7B89A81CF55
                                          Function 004FC911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: CountTickfputs
                                          • String ID: .
                                          • API String ID: 290905099-4150638102
                                          • Opcode ID: 4f593de052691239d7a0172f379cacad1431a8e887b8d9d0d6450de98e9e77be
                                          • Instruction ID: 16e4ab48ad399df772036587ce32674973dee5962a6cbd477279b6df71328370
                                          • Opcode Fuzzy Hash: 4f593de052691239d7a0172f379cacad1431a8e887b8d9d0d6450de98e9e77be
                                          • Instruction Fuzzy Hash: 7A712934A00B089BCB61EB69C6D1FABB7F5AF81304F00491EE18687641DBB8B945CB19
                                          Function 005008B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004C9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 004C9CB3
                                            • Part of subcall function 004C9C8F: GetProcAddress.KERNEL32(00000000), ref: 004C9CBA
                                            • Part of subcall function 004C9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 004C9CC8
                                          • __aulldiv.LIBCMT ref: 0050093F
                                          • __aulldiv.LIBCMT ref: 0050094B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                          • String ID: 3333
                                          • API String ID: 3520896023-2924271548
                                          • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                          • Instruction ID: 5f4bf508ad4eae9ad92faa810cff7e9c911c00ace68661692adea0eebb0874e6
                                          • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                          • Instruction Fuzzy Hash: D921A3B09007046FE7309F6A8885B5FBEFDFB84711F04892FA186D7282D670AD048B65
                                          Function 004EA7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004C1E40: free.MSVCRT ref: 004C1E44
                                          • memset.MSVCRT ref: 004EAEBA
                                          • memset.MSVCRT ref: 004EAECD
                                            • Part of subcall function 005004D2: _CxxThrowException.MSVCRT(?,00574A58), ref: 005004F8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: memset$ExceptionThrowfree
                                          • String ID: Split
                                          • API String ID: 1404239998-1882502421
                                          • Opcode ID: 7543709bc0fcf8497d232fb672d3b859e66dec21842521b048c9119bf9e7e961
                                          • Instruction ID: 74ca5f69341ef6b18fd7580f1b0ab962846e3b6de9208aede593d837ba729a06
                                          • Opcode Fuzzy Hash: 7543709bc0fcf8497d232fb672d3b859e66dec21842521b048c9119bf9e7e961
                                          • Instruction Fuzzy Hash: 30428E30E00288DFDF25DBA6C984BAEBBB1BF05305F14409AE449A7352C738AD91CF16
                                          Function 004C6096 Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004C609B
                                            • Part of subcall function 004C6BF5: __EH_prolog.LIBCMT ref: 004C6BFA
                                            • Part of subcall function 004C6BF5: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 004C6C1A
                                            • Part of subcall function 004C6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 004C6C49
                                          • DeleteFileW.KERNELBASE(?,?,?,00000000), ref: 004C60DF
                                          • DeleteFileW.KERNEL32(?,00000000,?,?,00000000), ref: 004C6111
                                            • Part of subcall function 004C5A8C: __EH_prolog.LIBCMT ref: 004C5A91
                                            • Part of subcall function 004C5A8C: SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 004C5AB7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: File$AttributesH_prolog$Delete
                                          • String ID:
                                          • API String ID: 579516761-0
                                          • Opcode ID: 99b4b1cdc0e49cb55c9d2f2b67b5216fc1bad53b0a5217db02d0102e430729a7
                                          • Instruction ID: 2c44a069769a0355be0a857fe38040ba41a5c77345333a39f5c0ce4bb19fd077
                                          • Opcode Fuzzy Hash: 99b4b1cdc0e49cb55c9d2f2b67b5216fc1bad53b0a5217db02d0102e430729a7
                                          • Instruction Fuzzy Hash: 4D114C3EA0010197CF94A6B69452FBF6B559F913A8F09812FDD11A3393CE2D8C069555
                                          Function 004F83BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                          Download Yara Rule
                                          APIs
                                          • fputs.MSVCRT ref: 004F8437
                                          • fputs.MSVCRT ref: 004F8401
                                            • Part of subcall function 004C1FB3: __EH_prolog.LIBCMT ref: 004C1FB8
                                          • __EH_prolog.LIBCMT ref: 004F83C4
                                            • Part of subcall function 004C1FA0: fputc.MSVCRT ref: 004C1FA7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prologfputs$fputc
                                          • String ID:
                                          • API String ID: 678540050-0
                                          • Opcode ID: e6390080bad94908ef50d384a7e690ea315df362305019e5c17677443f47d944
                                          • Instruction ID: 538ac1b8303525925a50f8230c64db1973df81074730e31aab0672727e72ff9d
                                          • Opcode Fuzzy Hash: e6390080bad94908ef50d384a7e690ea315df362305019e5c17677443f47d944
                                          • Instruction Fuzzy Hash: 5511A335A041059BCF05B7A2D813FAEBF65EF85758F00002FF501A32A2DFAD59058BD8
                                          Function 004C6BF5 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004C6BFA
                                          • GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 004C6C1A
                                            • Part of subcall function 004C1E40: free.MSVCRT ref: 004C1E44
                                          • GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 004C6C49
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: AttributesFile$H_prologfree
                                          • String ID:
                                          • API String ID: 86656847-0
                                          • Opcode ID: f351a54beafe42b5602ce6b05849f704b979367bd113aeb1a2043b1437cf58cd
                                          • Instruction ID: 4b0a854f42d1c1d25fa05f317e815aff7b3c751c6586b22fd57add5e6669d9dc
                                          • Opcode Fuzzy Hash: f351a54beafe42b5602ce6b05849f704b979367bd113aeb1a2043b1437cf58cd
                                          • Instruction Fuzzy Hash: AD01263AA0010097CB4167F598C6FBEBB65EB85374F10062FF910A3292CA788C45A698
                                          Function 004FC7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • fputs.MSVCRT ref: 004FC840
                                            • Part of subcall function 004C25CB: _CxxThrowException.MSVCRT(?,00574A58), ref: 004C25ED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: ExceptionThrowfputs
                                          • String ID:
                                          • API String ID: 1334390793-399585960
                                          • Opcode ID: dc2d8527c147f831e9844390858f18a2486d5220e64c57df162b72b76f3030c8
                                          • Instruction ID: d69767944bba4eeb36e86e09015c66bc3683f35b4d3910b2c8fc9f86dda07b73
                                          • Opcode Fuzzy Hash: dc2d8527c147f831e9844390858f18a2486d5220e64c57df162b72b76f3030c8
                                          • Instruction Fuzzy Hash: C711C4716047489FDB15DF59C9C1BAAFBE6EF4A304F04446EE1868B251C7B5BC04C764
                                          Function 004F6086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs
                                          • String ID: Open
                                          • API String ID: 1795875747-71445658
                                          • Opcode ID: 79f62ba4071867be6fab96875c3cba203a01554d5ece1f0a71767f7d31b6afed
                                          • Instruction ID: eb8d88a9d27f3f8d1aefe814d13b75f5307bf8b66f38b6ef1fc22fcee563d82c
                                          • Opcode Fuzzy Hash: 79f62ba4071867be6fab96875c3cba203a01554d5ece1f0a71767f7d31b6afed
                                          • Instruction Fuzzy Hash: 8311E3365017089FC760DF35ED91AE6BBE5FF24314F00842FE29A83212DA79A804CF54
                                          Function 005106AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 005106B3
                                          • _CxxThrowException.MSVCRT(?,0057D480), ref: 005108F2
                                            • Part of subcall function 004C1E0C: malloc.MSVCRT ref: 004C1E1F
                                            • Part of subcall function 004C1E0C: _CxxThrowException.MSVCRT(?,00574B28), ref: 004C1E39
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: ExceptionThrow$H_prologmalloc
                                          • String ID:
                                          • API String ID: 3044594480-0
                                          • Opcode ID: a8765be4c5f1bc5a7bc247f6338657526bba66af9f99d03c261c1185577f8b85
                                          • Instruction ID: 45ed947cfd2395d056eee8222d8970d5d3a23554fa15b05bcc11213195d29626
                                          • Opcode Fuzzy Hash: a8765be4c5f1bc5a7bc247f6338657526bba66af9f99d03c261c1185577f8b85
                                          • Instruction Fuzzy Hash: 52916C74900249DFDF21DFA8C895AEEBBB5BF49304F14819AE445A7292C770AE84CF61
                                          Function 004D6305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: e9a1fa6773f4a4a42d16899adb0bcd50237a39c040d41ed54df34c80f9c71e5c
                                          • Instruction ID: 66792de7ec5101670031805ae94381015889815ca6f1db55e5bd528806ea50ab
                                          • Opcode Fuzzy Hash: e9a1fa6773f4a4a42d16899adb0bcd50237a39c040d41ed54df34c80f9c71e5c
                                          • Instruction Fuzzy Hash: 5FF1BA74A00785DFCB21CF64D4B4AAABBE1BF15304F15486FE49A8B311D738A984CB1A
                                          Function 004D4250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004D4255
                                            • Part of subcall function 004D440B: __EH_prolog.LIBCMT ref: 004D4410
                                            • Part of subcall function 004C1E0C: malloc.MSVCRT ref: 004C1E1F
                                            • Part of subcall function 004C1E0C: _CxxThrowException.MSVCRT(?,00574B28), ref: 004C1E39
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$ExceptionThrowmalloc
                                          • String ID:
                                          • API String ID: 3744649731-0
                                          • Opcode ID: d720391de942544142af219c2f58a2f90db501a50f843b94acffceafe75862e5
                                          • Instruction ID: cb28da39302fe9f5d3ffa200eb873c206013ebe27f4c4dfa7137011740a75cd9
                                          • Opcode Fuzzy Hash: d720391de942544142af219c2f58a2f90db501a50f843b94acffceafe75862e5
                                          • Instruction Fuzzy Hash: 9951E5B0901784CFC325DF6AC19468AFFF0BF19304F5488AEC49A97762D7B4A608CB61
                                          Function 004E062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: ed6aa68c718c5757c658911e741fa2c36bac15bfe09269c06c81080ec885d223
                                          • Instruction ID: c4cd92f4dea26fc38e886f74e51248088f126a14a0f8308f87c99ef568777d2f
                                          • Opcode Fuzzy Hash: ed6aa68c718c5757c658911e741fa2c36bac15bfe09269c06c81080ec885d223
                                          • Instruction Fuzzy Hash: 2E314C70D00249DFCB14EFA6C8919AEBBB4FF94365B20851EE42667341C7749D81CBA4
                                          Function 004E021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004E021F
                                            • Part of subcall function 004D3D66: __EH_prolog.LIBCMT ref: 004D3D6B
                                            • Part of subcall function 004D3D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 004D3D7D
                                            • Part of subcall function 004D3D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 004D3D94
                                            • Part of subcall function 004D3D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 004D3DB6
                                            • Part of subcall function 004D3D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 004D3DCB
                                            • Part of subcall function 004D3D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 004D3DD5
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                          • String ID:
                                          • API String ID: 1532160333-0
                                          • Opcode ID: b6366ee109544b93b64e272341112513550772c3e3e79f5fa197d929deb0fb2f
                                          • Instruction ID: 164d0cde318fe85545ef7d1ef54875f14f0017ee610680ed3c454c5a8f4ed5f0
                                          • Opcode Fuzzy Hash: b6366ee109544b93b64e272341112513550772c3e3e79f5fa197d929deb0fb2f
                                          • Instruction Fuzzy Hash: DF2127B1846B90CEC321CF6A86D0686FFF4BB19604B9499AF81DA83B12C374A548CB55
                                          Function 0050035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00500364
                                            • Part of subcall function 005001C4: __EH_prolog.LIBCMT ref: 005001C9
                                            • Part of subcall function 00500143: __EH_prolog.LIBCMT ref: 00500148
                                            • Part of subcall function 004C1E40: free.MSVCRT ref: 004C1E44
                                            • Part of subcall function 005003D8: __EH_prolog.LIBCMT ref: 005003DD
                                            • Part of subcall function 0050004A: __EH_prolog.LIBCMT ref: 0050004F
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$free
                                          • String ID:
                                          • API String ID: 2654054672-0
                                          • Opcode ID: 8f33f3971112a1a785b22e53f11a432ccaeecfff639fe54e8af8891c2426677c
                                          • Instruction ID: 6ac8946ecdbd1a56f5fd486bbc0e8a7fa3b24c914adb517fbc5404ad3b8c1434
                                          • Opcode Fuzzy Hash: 8f33f3971112a1a785b22e53f11a432ccaeecfff639fe54e8af8891c2426677c
                                          • Instruction Fuzzy Hash: C9F0F430914A51DBCB1AEBA8D82A79DBFE4BF45318F10465EE852632D2CBB85B048749
                                          Function 004F8565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 1bff1e30612e84948c0ccab205764bd7859f79f703c0edacb2620e44dc0a2832
                                          • Instruction ID: 03c3dab6191467857d54a7019a949382de1fe5d4e1519ede05c62f08a4265700
                                          • Opcode Fuzzy Hash: 1bff1e30612e84948c0ccab205764bd7859f79f703c0edacb2620e44dc0a2832
                                          • Instruction Fuzzy Hash: E5F0AF72E0101EEBCB00DF99C8449AFBB74FF88790B00805EF515E7250CB388A05CB95
                                          Function 004C2201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs
                                          • String ID:
                                          • API String ID: 1795875747-0
                                          • Opcode ID: cb54db0981eddd4aee9fe90685f135524812db781d0bca859fe7b571eecbe7de
                                          • Instruction ID: 6fec3c68e6f06cbf0370fa8698f1fb6c67f57a589a23e3a57784cb1c19dc6077
                                          • Opcode Fuzzy Hash: cb54db0981eddd4aee9fe90685f135524812db781d0bca859fe7b571eecbe7de
                                          • Instruction Fuzzy Hash: 9BD01232504119ABCF156B98DC05CDD7BBCEF1D214700441FF541E2161EAB5E514D7A4
                                          Function 005180AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 005180AF
                                            • Part of subcall function 004C1E0C: malloc.MSVCRT ref: 004C1E1F
                                            • Part of subcall function 004C1E0C: _CxxThrowException.MSVCRT(?,00574B28), ref: 004C1E39
                                            • Part of subcall function 0050BDB5: __EH_prolog.LIBCMT ref: 0050BDBA
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: H_prolog$ExceptionThrowmalloc
                                          • String ID:
                                          • API String ID: 3744649731-0
                                          • Opcode ID: 21d6305f46ac979dcce5df40d176e8e70fb90e431aad22a81dc5648f4792759e
                                          • Instruction ID: 1324093e3175d7b69e7b7ffe305b0a88ae07f994065f062994536ecbf17e0770
                                          • Opcode Fuzzy Hash: 21d6305f46ac979dcce5df40d176e8e70fb90e431aad22a81dc5648f4792759e
                                          • Instruction Fuzzy Hash: C3D05B75B01105DFDF48EFB49466B6E7BE0BB84304F00457EA416D3781DF7489008754
                                          Function 004C6848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindClose.KERNELBASE(00000000,?,004C6880), ref: 004C6853
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: acd51ff92b708db0132c1f15821d3576398ec373ce8e93a006e66939bf85b7bf
                                          • Instruction ID: 55a47f4ac32898d0b592f6cf904dc7a027c312d5f15e76447ec68a8d3b688988
                                          • Opcode Fuzzy Hash: acd51ff92b708db0132c1f15821d3576398ec373ce8e93a006e66939bf85b7bf
                                          • Instruction Fuzzy Hash: 75D01235105661468AA46E3D7844ED637D86E163343228B9EF0F0C32E1D774CC879664
                                          Function 004C2010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: fputs
                                          • String ID:
                                          • API String ID: 1795875747-0
                                          • Opcode ID: c95d67ea64496d59ad769cf203819151721478e6cfb32d5f80f0b75a4770f9c2
                                          • Instruction ID: cee532a6185b63acb5a3fd96dd3b5abdfa0b377656e2f6ad6278784646c145af
                                          • Opcode Fuzzy Hash: c95d67ea64496d59ad769cf203819151721478e6cfb32d5f80f0b75a4770f9c2
                                          • Instruction Fuzzy Hash: 22D0C7360082519F96555F06EC05C87BFA5FFD5320711081FF480521605BA25815DA64
                                          Function 004CC4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: memmove
                                          • String ID:
                                          • API String ID: 2162964266-0
                                          • Opcode ID: 4d67ccf93048a318d5cc31a1b8ffe9196937b807b1b2bc90d2128ee30c75ab79
                                          • Instruction ID: 8039661b08a63bce8e68d40c3bae5f004aa330c0f9f65b1a3c1119fe05785e2a
                                          • Opcode Fuzzy Hash: 4d67ccf93048a318d5cc31a1b8ffe9196937b807b1b2bc90d2128ee30c75ab79
                                          • Instruction Fuzzy Hash: 3D815D79E00259AFCF54CFA8C5C0BAEBBB1EB48304F14846ED51AA7341D779A981CB58
                                          Function 00546BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: malloc
                                          • String ID:
                                          • API String ID: 2803490479-0
                                          • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                          • Instruction ID: 74082c6637b40c086823b6b672bdfd0337b8d5fc3534b1313e6f99b079606181
                                          • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                          • Instruction Fuzzy Hash: 59D0137161350515DF4845304C6D79B39B47F5131FF18457DEC13CB191F715C61D9255
                                          Function 00546B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000), ref: 00546B31
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 092923431c617343100f0bc01f32da5632948e0e15a600f85cc2c94f2b03ac21
                                          • Instruction ID: d2de0b10323c637cfd1192af9a09c1c7e64616d7cdd2f3bde5dbc8a94e6b4e61
                                          • Opcode Fuzzy Hash: 092923431c617343100f0bc01f32da5632948e0e15a600f85cc2c94f2b03ac21
                                          • Instruction Fuzzy Hash: 8AC08CE1A4D280EFDF0213108D447603F208B93300F4A00C1E4445B092C244181CC722
                                          Function 005469D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: malloc
                                          • String ID:
                                          • API String ID: 2803490479-0
                                          • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                          • Instruction ID: fc069a2545471da9758217f514d5e44dde3d74c2a092ca819e130f0666445e18
                                          • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                          • Instruction Fuzzy Hash: C5A024D551104111DD1C11303C15577140033D030F7C004FD7C01C1101F715C10C1007
                                          Function 00546AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: malloc
                                          • String ID:
                                          • API String ID: 2803490479-0
                                          • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                          • Instruction ID: b3422edde2c75baeca6ae448179e4e648af86234a944bad9c5ebaceffcd9caaa
                                          • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                          • Instruction Fuzzy Hash: E6A012CCE00002119D0810353815553182232E060A7D4C474680041109FA14C0082003
                                          Function 00546BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00546BAC
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: FreeVirtual
                                          • String ID:
                                          • API String ID: 1263568516-0
                                          • Opcode ID: f1c2b05b66d694b5cab9c0082b423e4e24dba334bd36492eb3bc0403aeaca0b9
                                          • Instruction ID: 3da37baecde151c28a1e570df23e287821b00c83c68cfa17ab4c2e41b2ae540d
                                          • Opcode Fuzzy Hash: f1c2b05b66d694b5cab9c0082b423e4e24dba334bd36492eb3bc0403aeaca0b9
                                          • Instruction Fuzzy Hash: B2A00278684740F7ED606734AE4FF6D3B247790F19F708544B2816A0D05AE47048AA5C
                                          Function 005469F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                          • Instruction ID: ace993715de4fcf3a31853265075e4cdf6b2c569a51a58e4c4b6fb2c8fe6411d
                                          • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                          • Instruction Fuzzy Hash:
                                          Function 00546B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.1697996747.00000000004C1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 004C0000, based on PE: true
                                          • Associated: 00000009.00000002.1697973041.00000000004C0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698107821.000000000056C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698130220.0000000000582000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                          • Associated: 00000009.00000002.1698149911.000000000058B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_4c0000_7zr.jbxd
                                          Similarity
                                          • API ID: free
                                          • String ID:
                                          • API String ID: 1294909896-0
                                          • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                          • Instruction ID: af3719750f37591cbf9f6cfe06bef1f5ac6272e0bd82e3a1cb6495113025e509
                                          • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                          • Instruction Fuzzy Hash: