Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.1.exe

Overview

General Information

Sample name:#U5b89#U88c5#U52a9#U624b2.0.1.exe
renamed because original name is a hash value
Original sample name:2.0.1.exe
Analysis ID:1580390
MD5:41e1d55f027ccbe1d6f1791b7dfa7230
SHA1:00dec8637d70bd850f93eb84a321f378bf840429
SHA256:83bc10b4f3f87db6168859335d139a1d85546fde941417bb4878a12297cc0f1c
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U52a9#U624b2.0.1.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" MD5: 41E1D55F027CCBE1D6F1791B7DFA7230)
    • #U5b89#U88c5#U52a9#U624b2.0.1.tmp (PID: 6620 cmdline: "C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$20430,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" MD5: 1AAE13D934719B05CE28D55B93D3EAF0)
      • powershell.exe (PID: 6644 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2304 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U52a9#U624b2.0.1.exe (PID: 764 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT MD5: 41E1D55F027CCBE1D6F1791B7DFA7230)
        • #U5b89#U88c5#U52a9#U624b2.0.1.tmp (PID: 6668 cmdline: "C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10029A,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT MD5: 1AAE13D934719B05CE28D55B93D3EAF0)
          • 7zr.exe (PID: 4048 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 4340 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 4340 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 6064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2596 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4904 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6552 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6360 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4076 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5244 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6528 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5764 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6640 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4228 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6360 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5012 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2032 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6336 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5668 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4520 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3704 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 744 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3264 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4924 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6644 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5016 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5576 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4484 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7008 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 744 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4904 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4924 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5936 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7008 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4076 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6932 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2144 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6684 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4520 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4484 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5164 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5724 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5936 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3264 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5572 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$20430,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, ParentProcessId: 6620, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6644, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2596, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 4904, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$20430,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, ParentProcessId: 6620, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6644, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2596, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 4904, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$20430,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, ParentProcessId: 6620, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6644, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\update.vacReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\update.vacReversingLabs: Detection: 23%
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1825853040.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1826027383.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE8B430 FindFirstFileA,FindClose,FindClose,6_2_6BE8B430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_001A6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_001A7496
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000003.1790794464.0000000004000000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.6.dr, update.vac.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1702059313.000000007F17B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1701597844.0000000003210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000000.1703688764.0000000000261000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000000.1794257506.0000000000F6D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1702059313.000000007F17B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1701597844.0000000003210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000000.1703688764.0000000000261000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000000.1794257506.0000000000F6D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vac.1.drStatic PE information: section name: .#.q
Source: update.vac.6.drStatic PE information: section name: .#.q
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD13886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13886
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE95690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6BE95690
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE962D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6BE962D0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD13A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13A6A
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD139CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD139CF
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD13D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13D62
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD13D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13D18
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD13C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD13C62
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD11950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6BD11950
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD14754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6BD14754
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD24A276_2_6BD24A27
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD147546_2_6BD14754
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE96FB36_2_6BE96FB3
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE91DF06_2_6BE91DF0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BED0BCA6_2_6BED0BCA
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEE0B666_2_6BEE0B66
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF3DAD06_2_6BF3DAD0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF41AA06_2_6BF41AA0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF54AA06_2_6BF54AA0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF3FA506_2_6BF3FA50
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF499F06_2_6BF499F0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEC89726_2_6BEC8972
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF5A9306_2_6BF5A930
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF3E8106_2_6BF3E810
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEE2EC96_2_6BEE2EC9
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEC8EA16_2_6BEC8EA1
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF49E806_2_6BF49E80
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF43D506_2_6BF43D50
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEF6CE06_2_6BEF6CE0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF400206_2_6BF40020
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BECC7CF6_2_6BECC7CF
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF697006_2_6BF69700
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF496E06_2_6BF496E0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF4F5C06_2_6BF4F5C0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF425806_2_6BF42580
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEE540A6_2_6BEE540A
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF537506_2_6BF53750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001E81EC10_2_001E81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001BE00A10_2_001BE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002281C010_2_002281C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023824010_2_00238240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002222E010_2_002222E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0024230010_2_00242300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023C3C010_2_0023C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0020E49F10_2_0020E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002304C810_2_002304C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002225F010_2_002225F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021865010_2_00218650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021A6A010_2_0021A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002166D010_2_002166D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001F094310_2_001F0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021C95010_2_0021C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023E99010_2_0023E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00222A8010_2_00222A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001FAB1110_2_001FAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00218C2010_2_00218C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00226CE010_2_00226CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00230E0010_2_00230E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00234EA010_2_00234EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002010AC10_2_002010AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022D08910_2_0022D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0020B12110_2_0020B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023112010_2_00231120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021B18010_2_0021B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022518010_2_00225180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002391C010_2_002391C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021D1D010_2_0021D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023720010_2_00237200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023D2C010_2_0023D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022F3A010_2_0022F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002053F310_2_002053F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A53CF10_2_001A53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023F3C010_2_0023F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001CB3E410_2_001CB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022F42010_2_0022F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021741010_2_00217410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023D47010_2_0023D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001ED49610_2_001ED496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002354D010_2_002354D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023353010_2_00233530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021F50010_2_0021F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0024351A10_2_0024351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A157210_2_001A1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023155010_2_00231550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023F59910_2_0023F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0024360110_2_00243601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001F965210_2_001F9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0022D6A010_2_0022D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001B976610_2_001B9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A97CA10_2_001A97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002377C010_2_002377C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001CF8E010_2_001CF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021F91010_2_0021F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023D9E010_2_0023D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A1AA110_2_001A1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001BBAC910_2_001BBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00227AF010_2_00227AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001F3AEF10_2_001F3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00227C5010_2_00227C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001BBC9210_2_001BBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0021FDF010_2_0021FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00225E8010_2_00225E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00225F8010_2_00225F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: String function: 6BF66F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: String function: 6BEC9240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0023FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001A28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 001A1E40 appears 83 times
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1701597844.000000000332E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameqfNlzMTb92O1uCBH.exe vs #U5b89#U88c5#U52a9#U624b2.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1702059313.000000007F47A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameqfNlzMTb92O1uCBH.exe vs #U5b89#U88c5#U52a9#U624b2.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000000.1699725845.0000000000769000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameqfNlzMTb92O1uCBH.exe vs #U5b89#U88c5#U52a9#U624b2.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeBinary or memory string: OriginalFileNameqfNlzMTb92O1uCBH.exe vs #U5b89#U88c5#U52a9#U624b2.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal84.evad.winEXE@135/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE962D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6BE962D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_001A9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001B3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_001B3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_001A9252
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE957B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,6_2_6BE957B0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\is-RLQ8O.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5224:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3400:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1060:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5800:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5936:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3104:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2260:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5448:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6684:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-6P28E.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$20430,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10029A,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$20430,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10029A,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic file information: File size 6118958 > 1048576
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1825853040.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1826027383.0000000003F90000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_002257D0
Source: update.vac.1.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: update.vac.6.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x343abb
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: real checksum: 0x0 should be: 0x5dd25c
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343abb
Source: #U5b89#U88c5#U52a9#U624b2.0.1.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drStatic PE information: section name: .didata
Source: update.vac.1.drStatic PE information: section name: .00cfg
Source: update.vac.1.drStatic PE information: section name: .voltbl
Source: update.vac.1.drStatic PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vac.6.drStatic PE information: section name: .00cfg
Source: update.vac.6.drStatic PE information: section name: .voltbl
Source: update.vac.6.drStatic PE information: section name: .#.q
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD40F00 push ss; retn 0001h6_2_6BD40F0A
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE98C5B push ecx; ret 6_2_6BE98C6E
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BECB9F4 push 004AC35Ch; ret 6_2_6BECBA0E
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF66F10 push eax; ret 6_2_6BF66F2E
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF67290 push eax; ret 6_2_6BF672BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A45F4 push 0024C35Ch; ret 10_2_001A460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023FB10 push eax; ret 10_2_0023FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0023FE90 push eax; ret 10_2_0023FEBE
Source: update.vac.1.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.6.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.6.drStatic PE information: section name: .#.q entropy: 7.193027440134885
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6302Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3504Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpWindow / User API: threadDelayed 611Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpWindow / User API: threadDelayed 578Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpWindow / User API: threadDelayed 572Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\update.vacJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\update.vacJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7008Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE8B430 FindFirstFileA,FindClose,FindClose,6_2_6BE8B430
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_001A6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_001A7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001A9C60 GetSystemInfo,10_2_001A9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BD13886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6BD13886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEA06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6BEA06F1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_002257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_002257D0
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEAA2D6 mov eax, dword ptr fs:[00000030h]6_2_6BEAA2D6
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEAA2A5 mov eax, dword ptr fs:[00000030h]6_2_6BEAA2A5
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE9F6ED mov eax, dword ptr fs:[00000030h]6_2_6BE9F6ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BE9922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6BE9922D
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BEA06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6BEA06F1

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmpCode function: 6_2_6BF67720 cpuid 6_2_6BF67720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_001AAB2A GetSystemTimeAsFileTime,10_2_001AAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00240090 GetVersion,10_2_00240090
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory43
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem35
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580390 Sample: #U5b89#U88c5#U52a9#U624b2.0.1.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 84 97 Multi AV Scanner detection for dropped file 2->97 99 Found driver which could be used to inject code into processes 2->99 101 PE file contains section with special chars 2->101 103 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->103 11 #U5b89#U88c5#U52a9#U624b2.0.1.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 95 C:\...\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, PE32 11->95 dropped 20 #U5b89#U88c5#U52a9#U624b2.0.1.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 26 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\update.vac, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 #U5b89#U88c5#U52a9#U624b2.0.1.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 25 other processes 34->54 signatures7 process8 file9 85 C:\...\#U5b89#U88c5#U52a9#U624b2.0.1.tmp, PE32 36->85 dropped 56 #U5b89#U88c5#U52a9#U624b2.0.1.tmp 4 16 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\update.vac, PE32 56->87 dropped 89 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 56->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->91 dropped 93 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 115 Contains functionality to hide a thread from the debugger 56->115 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 7 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 conhost.exe 64->71         started        73 sc.exe 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 73->77         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U52a9#U624b2.0.1.exe0%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc24%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\update.vac24%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\update.vac24%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U52a9#U624b2.0.1.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1702059313.000000007F17B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1701597844.0000000003210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000000.1703688764.0000000000261000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000000.1794257506.0000000000F6D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1702059313.000000007F17B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.exe, 00000000.00000003.1701597844.0000000003210000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000001.00000000.1703688764.0000000000261000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp, 00000006.00000000.1794257506.0000000000F6D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b2.0.1.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580390
        Start date and time:2024-12-24 13:09:20 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 10m 10s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U52a9#U624b2.0.1.exe
        renamed because original name is a hash value
        Original Sample Name:2.0.1.exe
        Detection:MAL
        Classification:mal84.evad.winEXE@135/33@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 77%
        • Number of executed functions: 67
        • Number of non-executed functions: 74
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 20.109.210.53, 2.16.168.102, 2.16.168.117, 20.242.39.171
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, dns.msftncsi.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.1.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                    cVyexkZjrG.exeGet hashmaliciousUnknownBrowse
                      cVyexkZjrG.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b1.0.3.exeGet hashmaliciousUnknownBrowse

                          Created / dropped Files

                          C:\Program Files (x86)\Windows NT\7zr.exe

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):831200
                          Entropy (8bit):6.671005303304742
                          Encrypted:false
                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Joe Sandbox View:
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                          • Filename: cVyexkZjrG.exe, Detection: malicious, Browse
                          • Filename: cVyexkZjrG.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\file.bin (copy)

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1366688
                          Entropy (8bit):7.999860182084113
                          Encrypted:true
                          SSDEEP:24576:ykszubJEHXUnZ5lDGPymP+zGKCdzE1Ec7NVbudpaG3pVDQuYyeZ8JkltMr4CZzgN:tJCUnxDGPymGkdzE1D7naaG5VDQuYye3
                          MD5:163660B027C20F57AD577359C6812B33
                          SHA1:77DB7B0BDFB312B1E74C14F3CCDE791171E49A8D
                          SHA-256:9A82396DF35501784695C4A8D0A6C31839C1ED2A14F0F0D8FC4A939831FF1E93
                          SHA-512:A8E7BF3C46482D2CB3FC5848BFB0CA924E0500FBBB1ECBB6A2439AC79E18C781C9F18C65EC8909F8B9FE1B5B325ABB82F7861C658C2B6BAFA0F9995C630CDDE2
                          Malicious:false
                          Preview:.@S.........&...............dt.-.hS...p...{.<....&......G.oN.....-.....B..._.`Q.....9vg...r..^....K.Pr......b7.cv.k.w.o........y..3."....k..T..'....Z...C.........s`,...I....b#e.........R9......f.ht.!@..).z.'$0.=.^....*U..Z....`..v..lVy.*../b...:.T..}VB.rn......p. @....|.#4,r.)8.53.........A...c.N.1..&N.O..Z.&.9/[`.5.......f..H|D.....kb...W.Xx...vm.N.dn...h.&.+.D.*f.^..m.6.Sn.^..d...... /.M.._u.-F...P..."..}.F..,.".j?.........m.m-.T...y......nN......kJ.i..w...<5.~...k&}c...=34!}.8x..I.%..j.V]"..-...ZxW.........>.#m.. .<...*.RU..5T.F......r..'E.bIiJ.............. i.=.........0.;>v.C.. t%`....J.j.9a..<....Ml.9.nZ.U.....Azy.9V.u\y.X..5../1.g@.e.I.H.....0..$..8...eU.U..x..Y..V .f.....]O6H..vE.WNA.S.t.I.L.9...2]..9.Q..u...R.. .J.4..%.7.!.v.X..5#<PEc.....}.UR..i....."U;.X..f...IO..*...#.....l..b...'..[1..F....9n.Y.Hr.eu.9WHW#.u.........}.>.24.?....RR...-.F=W3..j.....%v...$S'P?.+......X...lB.....4]....G.n.3.{......K./.....zp..F0...Y..a..]..

                          C:\Program Files (x86)\Windows NT\hrsw.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\is-F88H7.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:OpenPGP Public Key
                          Category:dropped
                          Size (bytes):1116602
                          Entropy (8bit):7.999845601264198
                          Encrypted:true
                          SSDEEP:24576:P5fyz7KSU1Mu/Nz9srsOI1fPIsaFMkul+w/clfZNoY3NB9lcSWodVo/zEH:0z7Kr5V6sOI1XIe3/cbNh3NPlPdVoIH
                          MD5:E167D6FBCB2A46EEBE2FC38F091A3BD3
                          SHA1:E0F10FF2CB7E3628FCE672143916BE714AA66391
                          SHA-256:842C85ABF00D78276A5D402908B4D97BE063CD50B9A0416589C5D2EA65C40DD0
                          SHA-512:BDC65C655684E77EFFD208E9622A506F41500651BD0B6C035C09E3FC6BB86F62115C88F24A0C1711D0F1F66E2FA06DA9055D659247F1DB15E9BA55D4C9BB71DF
                          Malicious:false
                          Preview:.....8@..\.S.D..7F....+....Z..R..&e.~&.p.p.!..Gf.64...B<..*#.............c%h....3DV...NW.^br..I..y..#.+L&D.k:y...^./....N.\.0.....U...W.&.^x....qYy.{...T.g..c._.*eC..../k...<.X...........+.L2..^..........I0Y.+..9-<...^........iq...<.D. .4........x.@%..>.5M...cq...y...D....`.;..]....@5*"_"*.W.......4.....O.9T.......OD...6PQ..V........)......57..............N......AM}..(...vM.o...<I].8...O;.........i..C;.6."*b..E..()..9Yh..i..../!L.....h.YJ2...(.._..d%....U4i>48..i]k.^.|Jm.......Y...l......<..@........Z(6q.....w.#.S|...#.......B..enr....&...+e).`....-....b.._....7$)N.;.*ha&V.V.,.dP`*A..wAS.'}"'.H.....e..]...F.'q.......^oA.x-..,...-...+T...g.R.. .t..s_.d...4,....W...,RU5l.....%l...qq...;?K.]..%..}...yZ...]o..o..@.U......q?Y..J.h.MH...u.....E.%.-........w.,.I...)...*)....g..``Z.z......_..&..y...G.O.......k.....>..%.H.K..T(.0.B..U..X....1T)].$.,....9...~.Z..].....j.....Y2x..w8....H.|O..1.:f...Sk.@tG..l..~6\:..x.$..E.K.....g....Gz...

                          C:\Program Files (x86)\Windows NT\is-RLQ8O.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1366688
                          Entropy (8bit):7.999860182084113
                          Encrypted:true
                          SSDEEP:24576:ykszubJEHXUnZ5lDGPymP+zGKCdzE1Ec7NVbudpaG3pVDQuYyeZ8JkltMr4CZzgN:tJCUnxDGPymGkdzE1D7naaG5VDQuYye3
                          MD5:163660B027C20F57AD577359C6812B33
                          SHA1:77DB7B0BDFB312B1E74C14F3CCDE791171E49A8D
                          SHA-256:9A82396DF35501784695C4A8D0A6C31839C1ED2A14F0F0D8FC4A939831FF1E93
                          SHA-512:A8E7BF3C46482D2CB3FC5848BFB0CA924E0500FBBB1ECBB6A2439AC79E18C781C9F18C65EC8909F8B9FE1B5B325ABB82F7861C658C2B6BAFA0F9995C630CDDE2
                          Malicious:false
                          Preview:.@S.........&...............dt.-.hS...p...{.<....&......G.oN.....-.....B..._.`Q.....9vg...r..^....K.Pr......b7.cv.k.w.o........y..3."....k..T..'....Z...C.........s`,...I....b#e.........R9......f.ht.!@..).z.'$0.=.^....*U..Z....`..v..lVy.*../b...:.T..}VB.rn......p. @....|.#4,r.)8.53.........A...c.N.1..&N.O..Z.&.9/[`.5.......f..H|D.....kb...W.Xx...vm.N.dn...h.&.+.D.*f.^..m.6.Sn.^..d...... /.M.._u.-F...P..."..}.F..,.".j?.........m.m-.T...y......nN......kJ.i..w...<5.~...k&}c...=34!}.8x..I.%..j.V]"..-...ZxW.........>.#m.. .<...*.RU..5T.F......r..'E.bIiJ.............. i.=.........0.;>v.C.. t%`....J.j.9a..<....Ml.9.nZ.U.....Azy.9V.u\y.X..5../1.g@.e.I.H.....0..$..8...eU.U..x..Y..V .f.....]O6H..vE.WNA.S.t.I.L.9...2]..9.Q..u...R.. .J.4..%.7.!.v.X..5#<PEc.....}.UR..i....."U;.X..f...IO..*...#.....l..b...'..[1..F....9n.Y.Hr.eu.9WHW#.u.........}.>.24.?....RR...-.F=W3..j.....%v...$S'P?.+......X...lB.....4]....G.n.3.{......K./.....zp..F0...Y..a..]..

                          C:\Program Files (x86)\Windows NT\locale.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996921999968999
                          Encrypted:true
                          SSDEEP:768:EGKpPX5PW6qfdpqmU5Vem8ibSYcDnbzqZB0avLHLfI0OB8K6OLylr3tBmh2l3lEd:Y9X5P6la55r2nXfa7LZOd6t3tBFhSm0
                          MD5:C7DDF3AF8F2B5FEC9A806B56092AF1DD
                          SHA1:5640A2ED6331DCAC5AC817BA497E793F798A8BDC
                          SHA-256:3890185FA1CC1B3B3731D4DAB64190861B2865162EC4E4DAC62C60AEADA98289
                          SHA-512:EA4496F8A65630AEFEA80EC47C2998EBC5556B6277387F13AF2308157CA7A8E0A9135D1F0C27A9A7BA8AEBEEBA36CBAF96C3F5B5A38291D7B3C7A4B74070217A
                          Malicious:false
                          Preview:.@S.....`.el ..............QO..n.z........+..........L.+....9.v..........Wq...T....<a89h....j.U..'....{8J.x.8|.0.g...K~t.qR.4..9M.........v......)T....by^.v.0.V1a.b.4..2....~[.u..V..."...QO.rl.I....#.....DH*2e..K"n.......fo..X\D.....50.....wZ3.g.....6..@...<f7....y..Z...-..P.zR..V!.6^.#....}Xu.]C..|....n.X..m.W3-B...G...N...k.T.0...>....:....5...r.N'.A...B..Vs.SC..#~.R..A.8...1.q......V]...M..G..K..7.......`A.~.S8.U.....}..../......D...~..p.....GF...C;.O`.q.c...m..;.m|.a v...p..`e.0/.h0.G.k.[.3.....C.a..nan.U........9Q..G......Wm.e?.....j-....m.z...=.U..w..Gs..v..!)...[..LFl..|....|2*.u.B{'....#J....we...N.J.v..C.Q....n..W@.=..2.6....g.|..[cT4.....T...s.2...q-....EL..S.E......Q...~......|...\nZ..`$......e.<J.......J.Ad.2.v....v.IU.D...t... ....q.^S.8+,..k.~......Q..@.....d)..*z2u..#.)?.(.F+1.`<s@.H.7..6N.).o).wnB.b.dG.P..q..%......*.&:R....-9.....j..lCy..}...w...~.|......wJ}.q1..\U...&...m._..V..........l..6b..8...L..a.6}.KA...

                          C:\Program Files (x86)\Windows NT\locale.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996921999969004
                          Encrypted:true
                          SSDEEP:1536:VVcNVJQXv8NwowzmiDU8OtRGZDQt2WtajHvxUoQm5:ryQf0azJQ8OtRGaBgrvxVQm5
                          MD5:87672557096F6B0A3EC8684AFA54BCE1
                          SHA1:B8846DFADBB26AE4CB18294879B1C13D1DCF48A2
                          SHA-256:2C390C0DAFBCFF69F367944A596C8198351A3300F94E4527B3D361CA37A35EDF
                          SHA-512:2CAAD01135D71A7DCB36FEAFC437749D23CAFB44A4CC501B8B5BED830D172363D966AD081DC410E9EFFB2B32B953C1FD0964487F056A9C9FF614C5C2186AC066
                          Malicious:false
                          Preview:7z..'...............2.........Kn...[JUW=@-.AR.[z@..#1....5.j.Ib.x.M..Q..1..d.._.i.O}#Kr....NE:*.[.)..?..v|....h.....[..."O..{..0.....#5..UU.p^).X..7..*...4N.b.;..7....T.wUq.Z..S.3.a2x..@."..}.....C. .~.OZ?.....f..t+..%W1....0....k.`1..aJn?..M.....:r.@..2+....|?<..T`..c...S.....Ir....\.B}.\.....c>......-.Y9.:X...eJl.^.?.,...!.....{"P..5^HP.rl...v*..>\..E.Z.#.VE........3E....}{g.E...V.p....T|....K|.DI...p.v.4..y.a..a.q[.K.J. .&..I.`n.U..:.......I...+.).......2...h$....+..K..K.I6..r#J.....9..v.b._.?.=v..y....*...{.g:;Ey.He...-_.ioP].x..;y..io"~#......].T/..T.B.=.aN..P..EI..C6V..z.......k.l.....o...W-n)..%.7w._.1.....p.....$...}....67.s.).c..a.*......U......D...\..X-H.)S../W;...PAb5<..i..z....b.~.i........:z."4..9K..x..+.H.....7.)j...qbE..F.....E..Y.....Cr........q...o9:J..m.+I....KW..e7B..R.....E.....:.....QL.#.U#......."...\....c...G..hV+6.6Z.y..>._+..)^+rv.9......F-..?&.PRv.y....../......`...Szv./.`...cl.\ %XwyJ0... ..8..YqY...R.-~..H.#

                          C:\Program Files (x86)\Windows NT\locale2.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255975
                          Encrypted:true
                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                          Malicious:false
                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                          C:\Program Files (x86)\Windows NT\locale2.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255979
                          Encrypted:true
                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                          MD5:4CB8B7E557C80FC7B014133AB834A042
                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                          Malicious:false
                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                          C:\Program Files (x86)\Windows NT\locale3.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                          MD5:8622FC7228777F64A47BD6C61478ADD9
                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                          Malicious:false
                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                          C:\Program Files (x86)\Windows NT\locale3.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                          Malicious:false
                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                          C:\Program Files (x86)\Windows NT\locale4.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.99759370165655
                          Encrypted:true
                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                          MD5:950338D50B95A25F494EE74E97B7B7A9
                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                          Malicious:false
                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                          C:\Program Files (x86)\Windows NT\locale4.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.997593701656546
                          Encrypted:true
                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                          Malicious:false
                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                          C:\Program Files (x86)\Windows NT\locale7.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653607
                          Encrypted:true
                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                          Malicious:false
                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                          C:\Program Files (x86)\Windows NT\locale7.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653608
                          Encrypted:true
                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                          Malicious:false
                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                          C:\Program Files (x86)\Windows NT\res.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):1366688
                          Entropy (8bit):7.999860182084105
                          Encrypted:true
                          SSDEEP:24576:c1Nhc/EX4XVdL9TqNs4NT5Tr+RnPFOBHXVc8gydr6ctM81I6xkSe4e:c+DVdLcJ5v+RPUZXVc8F/tZC6xk
                          MD5:D86369BB0C19CDDCBCE595A11EFE8F22
                          SHA1:57EB12346F5141F5FC607A69A908125C37610A51
                          SHA-256:F71D3505B6FC12B10D87D0A05BB113E2BDC2E96984240C0905F15D04E08E577C
                          SHA-512:BB16E39CFF28A8016E12B2FEDFF04FE5DAA8032D6F709C601D95F39768C2DC127C1588A4B53294A5F33D8E22E06C803445B40BA71E22F584EE552399950EF037
                          Malicious:false
                          Preview:7z..'... ...@.......@.......g..c..rIW...q.Z.85)H..I.HOd....D...6t.D%...@;W6.e.....`..|."....|.g.}F.KRx.. [..N{.uQg..h.....,..|xA.:(..Y^.].~H....H.rf.z(.WK...pg)..y.!_fPC....7..@....M.yX{gfm...UE.5..*.........M........r_.~.....t..F.)UX..........e...9.B...H..#/.OHm.b.onH{....."f..'..cKhw@.......Y..?...k..7N./..C......K.Y..8-E.q..?...<....Z....X....X.<...[...2..6...5.:.3..U.Y.<...6..MJ ..*..U.to......g..[.G.ou.|.e2.g....G.$j._.M.c.w..Z.~....x.fL....k..x.M..e..i.}....q.Rp......`.......k.H.&..|....?. 8..K5hwCa=.Ot...N..m.].O..A..X.4.),.7..".......NA}<.F.._.U.T..U.P"..qw>......<.*...5{|d$..C.=.$b}...............b..O..........Q.yF.....F.n....y..2.....#.6JD...F.?.c.p.y>..)..w4$X....[_..'f.....3...........@...D7o.2......8Z.D..fOk.b.M.o..<.......Qa<...[......A).!Ic....n ..j.`r.......M.....0.3.A.%f.5.[s..#.e.tX.#.$..Z..d....?.<..%r%1.J4...q....%h]y.........d...LHY-.EA....R..:..+\....E).jK./E%.%.b.....K~..Q.c..f.x.;.....\...wu...*....

                          C:\Program Files (x86)\Windows NT\tProtect.dll

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:PE32+ executable (native) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):63640
                          Entropy (8bit):6.482810107683822
                          Encrypted:false
                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\task.xml

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.344834847024567
                          Encrypted:false
                          SSDEEP:48:dXKLzDlnbL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnKwhldOVQOj6dKbKsz7
                          MD5:7F252B19B6E96247184F55570325E9FA
                          SHA1:E6D4AD432CB4864C0E1A08FB15255F7973807B3D
                          SHA-256:84460DE817C9A6637650C7ED83D15DD14836FB841FF9790D4F2D1A8D6BAAB0ED
                          SHA-512:A5741E4F5095BB24A28E5909CC659CB53535BD1E7A2555FA9D2660155F8CA80F96136E2CA589CCD2154FCF264B8FD525782B8C9752022B986F20D3F1454496EF
                          Malicious:false
                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvai

                          C:\Program Files (x86)\Windows NT\trash

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:OpenPGP Public Key
                          Category:dropped
                          Size (bytes):1116602
                          Entropy (8bit):7.999845601264198
                          Encrypted:true
                          SSDEEP:24576:P5fyz7KSU1Mu/Nz9srsOI1fPIsaFMkul+w/clfZNoY3NB9lcSWodVo/zEH:0z7Kr5V6sOI1XIe3/cbNh3NPlPdVoIH
                          MD5:E167D6FBCB2A46EEBE2FC38F091A3BD3
                          SHA1:E0F10FF2CB7E3628FCE672143916BE714AA66391
                          SHA-256:842C85ABF00D78276A5D402908B4D97BE063CD50B9A0416589C5D2EA65C40DD0
                          SHA-512:BDC65C655684E77EFFD208E9622A506F41500651BD0B6C035C09E3FC6BB86F62115C88F24A0C1711D0F1F66E2FA06DA9055D659247F1DB15E9BA55D4C9BB71DF
                          Malicious:false
                          Preview:.....8@..\.S.D..7F....+....Z..R..&e.~&.p.p.!..Gf.64...B<..*#.............c%h....3DV...NW.^br..I..y..#.+L&D.k:y...^./....N.\.0.....U...W.&.^x....qYy.{...T.g..c._.*eC..../k...<.X...........+.L2..^..........I0Y.+..9-<...^........iq...<.D. .4........x.@%..>.5M...cq...y...D....`.;..]....@5*"_"*.W.......4.....O.9T.......OD...6PQ..V........)......57..............N......AM}..(...vM.o...<I].8...O;.........i..C;.6."*b..E..()..9Yh..i..../!L.....h.YJ2...(.._..d%....U4i>48..i]k.^.|Jm.......Y...l......<..@........Z(6q.....w.#.S|...#.......B..enr....&...+e).`....-....b.._....7$)N.;.*ha&V.V.,.dP`*A..wAS.'}"'.H.....e..]...F.'q.......^oA.x-..,...-...+T...g.R.. .t..s_.d...4,....W...,RU5l.....%l...qq...;?K.]..%..}...yZ...]o..o..@.U......q?Y..J.h.MH...u.....E.%.-........w.,.I...)...*)....g..``Z.z......_..&..y...G.O.......k.....>..%.H.K..T(.0.B..U..X....1T)].$.,....9...~.Z..].....j.....Y2x..w8....H.|O..1.:f...Sk.@tG..l..~6\:..x.$..E.K.....g....Gz...

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1628158735648508
                          Encrypted:false
                          SSDEEP:3:NlllulFgtj:NllUa
                          MD5:E986DDCA20E18C878305AA21342325F6
                          SHA1:AE6890EE7BB81A051A4F4079F549DEBCCE0F82C9
                          SHA-256:9624DAA47DF80C2229877179550D8373CAEEEAE25A8123698D7A516AD455DD15
                          SHA-512:8B0CD5C1F0BAECA299669D6A0CB74F9315E90B05EDEA16C92B92D9927D3D07225AC5DAE9941CF339E1CED349BA8129F56F118CF89AB86CF8DAAAFFDB8EC8B56D
                          Malicious:false
                          Preview:@...e................................................@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1mjwc5os.cid.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1hvlifh.zy4.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrak0r2b.fuq.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uuzmgbps.dy4.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530566879501966
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:1AAE13D934719B05CE28D55B93D3EAF0
                          SHA1:902693CA02CB43E5C545D4B8AB6C7BB0B7168EAE
                          SHA-256:F1E3AC54EC572C70A3D8BF8297C0C41525C8FDDAF0C1D9F525E647B6745A2E33
                          SHA-512:824DC30F433845B077C83D8B6861FBC7FD55EB2AC40E2F7E6056D397111F121795AAC8495C787BE2D418EAC55DF356B64A9F998C71B348319F1A60C237351E8A
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-DE36D.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-GN9C4.tmp\update.vac

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3606016
                          Entropy (8bit):7.0063494494702985
                          Encrypted:false
                          SSDEEP:49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
                          MD5:95ACD5631A9131DB1FD066565AFC9A67
                          SHA1:8E9473BD632FF0F57FC34EECAC17174341D80D94
                          SHA-256:EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
                          SHA-512:70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 24%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.530566879501966
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:1AAE13D934719B05CE28D55B93D3EAF0
                          SHA1:902693CA02CB43E5C545D4B8AB6C7BB0B7168EAE
                          SHA-256:F1E3AC54EC572C70A3D8BF8297C0C41525C8FDDAF0C1D9F525E647B6745A2E33
                          SHA-512:824DC30F433845B077C83D8B6861FBC7FD55EB2AC40E2F7E6056D397111F121795AAC8495C787BE2D418EAC55DF356B64A9F998C71B348319F1A60C237351E8A
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          \Device\ConDrv

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:ASCII text, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):406
                          Entropy (8bit):5.117520345541057
                          Encrypted:false
                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                          MD5:9200058492BCA8F9D88B4877F842C148
                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                          Malicious:false
                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.929467630490579
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.04%
                          • Inno Setup installer (109748/4) 1.08%
                          • InstallShield setup (43055/19) 0.42%
                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                          File name:#U5b89#U88c5#U52a9#U624b2.0.1.exe
                          File size:6'118'958 bytes
                          MD5:41e1d55f027ccbe1d6f1791b7dfa7230
                          SHA1:00dec8637d70bd850f93eb84a321f378bf840429
                          SHA256:83bc10b4f3f87db6168859335d139a1d85546fde941417bb4878a12297cc0f1c
                          SHA512:d995d487df981bcba41d0b491635470cc32b4868507a743654f0bb25fdff3aa7d7ef7f5e8cf416f72c237908948e605b5e590a77fdea5b76054cb856fb329373
                          SSDEEP:98304:XwREsJXyDGAMfZaqwODvM6zEzZK4IOI1FRhhdEnkqeyMBCqNrkeEBPBbUPm/dMwZ:lQXyDmBPvMCisV17BIeyMPkFHHZ
                          TLSH:B3561213F2CBE03EE05E1B3705B2A55494FB6A21A522AD5796ECB4ECCF350601E3E647
                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:0c0c2d33ceec80aa

                          Static PE Info

                          General

                          Entrypoint:0x4a83bc
                          Entrypoint Section:.itext
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          add esp, FFFFFFA4h
                          push ebx
                          push esi
                          push edi
                          xor eax, eax
                          mov dword ptr [ebp-3Ch], eax
                          mov dword ptr [ebp-40h], eax
                          mov dword ptr [ebp-5Ch], eax
                          mov dword ptr [ebp-30h], eax
                          mov dword ptr [ebp-38h], eax
                          mov dword ptr [ebp-34h], eax
                          mov dword ptr [ebp-2Ch], eax
                          mov dword ptr [ebp-28h], eax
                          mov dword ptr [ebp-14h], eax
                          mov eax, 004A2EBCh
                          call 00007F3780CE04B5h
                          xor eax, eax
                          push ebp
                          push 004A8AC1h
                          push dword ptr fs:[eax]
                          mov dword ptr fs:[eax], esp
                          xor edx, edx
                          push ebp
                          push 004A8A7Bh
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          mov eax, dword ptr [004B0634h]
                          call 00007F3780D71E3Bh
                          call 00007F3780D7198Eh
                          lea edx, dword ptr [ebp-14h]
                          xor eax, eax
                          call 00007F3780D6C668h
                          mov edx, dword ptr [ebp-14h]
                          mov eax, 004B41F4h
                          call 00007F3780CDA563h
                          push 00000002h
                          push 00000000h
                          push 00000001h
                          mov ecx, dword ptr [004B41F4h]
                          mov dl, 01h
                          mov eax, dword ptr [0049CD14h]
                          call 00007F3780D6D993h
                          mov dword ptr [004B41F8h], eax
                          xor edx, edx
                          push ebp
                          push 004A8A27h
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          call 00007F3780D71EC3h
                          mov dword ptr [004B4200h], eax
                          mov eax, dword ptr [004B4200h]
                          cmp dword ptr [eax+0Ch], 01h
                          jne 00007F3780D78BAAh
                          mov eax, dword ptr [004B4200h]
                          mov edx, 00000028h
                          call 00007F3780D6E288h
                          mov edx, dword ptr [004B4200h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0xcb0000x110000x11000f7f34886de1e0b5b09b184e0a7b8e644False0.18784466911764705data3.7243229972960936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                          RT_STRING0xd8e000x3f8data0.3198818897637795
                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                          RT_STRING0xd94d40x430data0.40578358208955223
                          RT_STRING0xd99040x44cdata0.38636363636363635
                          RT_STRING0xd9d500x2d4data0.39226519337016574
                          RT_STRING0xda0240xb8data0.6467391304347826
                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                          RT_STRING0xda1780x374data0.4230769230769231
                          RT_STRING0xda4ec0x398data0.3358695652173913
                          RT_STRING0xda8840x368data0.3795871559633027
                          RT_STRING0xdabec0x2a4data0.4275147928994083
                          RT_RCDATA0xdae900x10data1.5
                          RT_RCDATA0xdaea00x310data0.6173469387755102
                          RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2790368271954674
                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                          Imports

                          DLLImport
                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                          comctl32.dllInitCommonControls
                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                          Exports

                          NameOrdinalAddress
                          __dbk_fcall_wrapper20x40fc10
                          dbkFCallWrapperAddr10x4b063c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:07:10:14
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe"
                          Imagebase:0x6b0000
                          File size:6'118'958 bytes
                          MD5 hash:41E1D55F027CCBE1D6F1791B7DFA7230
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:07:10:14
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-6P28E.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$20430,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe"
                          Imagebase:0x260000
                          File size:3'366'912 bytes
                          MD5 hash:1AAE13D934719B05CE28D55B93D3EAF0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:07:10:15
                          Start date:24/12/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:07:10:15
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:07:10:19
                          Start date:24/12/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff693ab0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:5
                          Start time:07:10:23
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT
                          Imagebase:0x6b0000
                          File size:6'118'958 bytes
                          MD5 hash:41E1D55F027CCBE1D6F1791B7DFA7230
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:6
                          Start time:07:10:23
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-M2PSJ.tmp\#U5b89#U88c5#U52a9#U624b2.0.1.tmp" /SL5="$10029A,5164621,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.1.exe" /VERYSILENT
                          Imagebase:0xcf0000
                          File size:3'366'912 bytes
                          MD5 hash:1AAE13D934719B05CE28D55B93D3EAF0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:7
                          Start time:07:10:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:07:10:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:07:10:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:07:10:26
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                          Imagebase:0x1a0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, ReversingLabs
                          Has exited:true

                          General

                          Target ID:11
                          Start time:07:10:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:12
                          Start time:07:10:26
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                          Imagebase:0x1a0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:13
                          Start time:07:10:26
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:14
                          Start time:07:10:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:15
                          Start time:07:10:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:16
                          Start time:07:10:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:07:10:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:07:10:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:19
                          Start time:07:10:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:07:10:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:21
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:22
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:23
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:25
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:26
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:27
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:30
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:33
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:36
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:07:10:28
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:42
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:46
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:47
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:49
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:50
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:51
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:52
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff72bec0000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:53
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:54
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff7699e0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:55
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:56
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:57
                          Start time:07:10:29
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:58
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:59
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:60
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:61
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:62
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:63
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:64
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:65
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:66
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:67
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:68
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:69
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:70
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:71
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:72
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:73
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:74
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:75
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:76
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:77
                          Start time:07:10:30
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:78
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:79
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:80
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:81
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:82
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:83
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:84
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:85
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:86
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:87
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:88
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:89
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:90
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:91
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:92
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:93
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:94
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:95
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:96
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:97
                          Start time:07:10:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:98
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:99
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:100
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:101
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:102
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:103
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:104
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:105
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:106
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff6c3310000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:107
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:108
                          Start time:07:10:32
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff683ad0000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:2.3%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:15.5%
                            Total number of Nodes:818
                            Total number of Limit Nodes:9
                            execution_graph 65997 6bd14b53 66155 6be96fb3 65997->66155 65999 6bd14b5c _Yarn 66169 6be8b430 65999->66169 66001 6bd3639e 66267 6bea06a0 18 API calls 2 library calls 66001->66267 66003 6bd14cff 66004 6bd15164 CreateFileA CloseHandle 66009 6bd151ec 66004->66009 66005 6bd14bae std::ios_base::_Ios_base_dtor 66005->66001 66005->66003 66005->66004 66006 6bd2245a _Yarn _strlen 66005->66006 66006->66001 66007 6be8b430 2 API calls 66006->66007 66024 6bd22a83 std::ios_base::_Ios_base_dtor 66007->66024 66175 6be95690 OpenSCManagerA 66009->66175 66011 6bd1fc00 66260 6be957b0 CreateToolhelp32Snapshot 66011->66260 66014 6be96fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66050 6bd15478 std::ios_base::_Ios_base_dtor _Yarn _strlen 66014->66050 66016 6bd237d0 Sleep 66061 6bd237e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 66016->66061 66017 6be8b430 2 API calls 66017->66050 66018 6bd363b2 66268 6bd115e0 18 API calls std::ios_base::_Ios_base_dtor 66018->66268 66019 6be957b0 4 API calls 66037 6bd2053a 66019->66037 66020 6be957b0 4 API calls 66042 6bd212e2 66020->66042 66022 6bd1ffe3 66022->66019 66029 6bd20abc 66022->66029 66023 6bd364f8 66024->66001 66179 6be80900 66024->66179 66025 6bd36ba0 104 API calls 66025->66050 66026 6bd36e60 32 API calls 66026->66050 66028 6be957b0 4 API calls 66028->66029 66029->66006 66029->66020 66031 6bd2211c 66031->66006 66033 6bd2241a 66031->66033 66032 6be957b0 4 API calls 66052 6bd21dd9 66032->66052 66036 6be80900 11 API calls 66033->66036 66034 6be8b430 2 API calls 66034->66061 66039 6bd2244d 66036->66039 66037->66028 66037->66029 66038 6bd16722 66236 6be91df0 25 API calls 4 library calls 66038->66236 66266 6be962d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66039->66266 66041 6bd22452 Sleep 66041->66006 66042->66031 66042->66032 66043 6bd216ac 66042->66043 66044 6bd16162 66045 6bd1740b 66237 6be95560 CreateProcessA 66045->66237 66047 6be957b0 4 API calls 66047->66031 66050->66001 66050->66011 66050->66014 66050->66017 66050->66025 66050->66026 66050->66038 66050->66044 66217 6bd37090 66050->66217 66230 6bd5e010 66050->66230 66051 6bd37090 77 API calls 66051->66061 66052->66031 66052->66047 66053 6bd5e010 67 API calls 66053->66061 66054 6bd1775a _strlen 66054->66001 66055 6bd17b92 66054->66055 66056 6bd17ba9 66054->66056 66059 6bd17b43 _Yarn 66054->66059 66057 6be96fb3 std::_Facet_Register 4 API calls 66055->66057 66058 6be96fb3 std::_Facet_Register 4 API calls 66056->66058 66057->66059 66058->66059 66060 6be8b430 2 API calls 66059->66060 66070 6bd17be7 std::ios_base::_Ios_base_dtor 66060->66070 66061->66001 66061->66034 66061->66051 66061->66053 66188 6bd36ba0 66061->66188 66207 6bd36e60 66061->66207 66062 6be95560 4 API calls 66073 6bd18a07 66062->66073 66063 6bd19d68 66066 6be96fb3 std::_Facet_Register 4 API calls 66063->66066 66064 6bd19d7f 66067 6be96fb3 std::_Facet_Register 4 API calls 66064->66067 66065 6bd1962c _strlen 66065->66001 66065->66063 66065->66064 66068 6bd19d18 _Yarn 66065->66068 66066->66068 66067->66068 66069 6be8b430 2 API calls 66068->66069 66077 6bd19dbd std::ios_base::_Ios_base_dtor 66069->66077 66070->66001 66070->66062 66070->66065 66071 6bd18387 66070->66071 66072 6be95560 4 API calls 66081 6bd19120 66072->66081 66073->66072 66074 6be95560 4 API calls 66091 6bd1a215 _strlen 66074->66091 66075 6be95560 4 API calls 66076 6bd19624 66075->66076 66241 6be962d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66076->66241 66077->66001 66077->66074 66085 6bd1e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66077->66085 66078 6be96fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66078->66085 66080 6be8b430 2 API calls 66080->66085 66081->66075 66082 6bd1f7b1 66259 6be962d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66082->66259 66083 6bd1ed02 Sleep 66103 6bd1e8c1 66083->66103 66085->66001 66085->66078 66085->66080 66085->66082 66085->66083 66086 6bd1e8dd GetCurrentProcess TerminateProcess 66086->66085 66087 6bd1a9a4 66089 6be96fb3 std::_Facet_Register 4 API calls 66087->66089 66088 6bd1a9bb 66090 6be96fb3 std::_Facet_Register 4 API calls 66088->66090 66100 6bd1a953 _Yarn _strlen 66089->66100 66090->66100 66091->66001 66091->66087 66091->66088 66091->66100 66092 6be95560 4 API calls 66092->66103 66093 6bd1fbb8 66095 6bd1fbe8 ExitWindowsEx Sleep 66093->66095 66094 6bd1f7c0 66094->66093 66095->66011 66096 6bd1aff0 66098 6be96fb3 std::_Facet_Register 4 API calls 66096->66098 66097 6bd1b009 66099 6be96fb3 std::_Facet_Register 4 API calls 66097->66099 66101 6bd1afa0 _Yarn 66098->66101 66099->66101 66100->66018 66100->66096 66100->66097 66100->66101 66242 6be95ed0 66101->66242 66103->66085 66103->66086 66103->66092 66104 6bd1b059 std::ios_base::_Ios_base_dtor _strlen 66104->66001 66105 6bd1b443 66104->66105 66106 6bd1b42c 66104->66106 66109 6bd1b3da _Yarn _strlen 66104->66109 66108 6be96fb3 std::_Facet_Register 4 API calls 66105->66108 66107 6be96fb3 std::_Facet_Register 4 API calls 66106->66107 66107->66109 66108->66109 66109->66018 66110 6bd1b7b7 66109->66110 66111 6bd1b79e 66109->66111 66114 6bd1b751 _Yarn 66109->66114 66113 6be96fb3 std::_Facet_Register 4 API calls 66110->66113 66112 6be96fb3 std::_Facet_Register 4 API calls 66111->66112 66112->66114 66113->66114 66115 6be95ed0 104 API calls 66114->66115 66116 6bd1b804 std::ios_base::_Ios_base_dtor _strlen 66115->66116 66116->66001 66117 6bd1bc26 66116->66117 66118 6bd1bc0f 66116->66118 66121 6bd1bbbd _Yarn _strlen 66116->66121 66120 6be96fb3 std::_Facet_Register 4 API calls 66117->66120 66119 6be96fb3 std::_Facet_Register 4 API calls 66118->66119 66119->66121 66120->66121 66121->66018 66122 6bd1c075 66121->66122 66123 6bd1c08e 66121->66123 66126 6bd1c028 _Yarn 66121->66126 66124 6be96fb3 std::_Facet_Register 4 API calls 66122->66124 66125 6be96fb3 std::_Facet_Register 4 API calls 66123->66125 66124->66126 66125->66126 66127 6be95ed0 104 API calls 66126->66127 66132 6bd1c0db std::ios_base::_Ios_base_dtor _strlen 66127->66132 66128 6bd1c7a5 66130 6be96fb3 std::_Facet_Register 4 API calls 66128->66130 66129 6bd1c7bc 66131 6be96fb3 std::_Facet_Register 4 API calls 66129->66131 66139 6bd1c753 _Yarn _strlen 66130->66139 66131->66139 66132->66001 66132->66128 66132->66129 66132->66139 66133 6bd1d406 66136 6be96fb3 std::_Facet_Register 4 API calls 66133->66136 66134 6bd1d3ed 66135 6be96fb3 std::_Facet_Register 4 API calls 66134->66135 66137 6bd1d39a _Yarn 66135->66137 66136->66137 66138 6be95ed0 104 API calls 66137->66138 66140 6bd1d458 std::ios_base::_Ios_base_dtor _strlen 66138->66140 66139->66018 66139->66133 66139->66134 66139->66137 66145 6bd1cb2f 66139->66145 66140->66001 66141 6bd1d8a4 66140->66141 66142 6bd1d8bb 66140->66142 66146 6bd1d852 _Yarn _strlen 66140->66146 66143 6be96fb3 std::_Facet_Register 4 API calls 66141->66143 66144 6be96fb3 std::_Facet_Register 4 API calls 66142->66144 66143->66146 66144->66146 66146->66018 66147 6bd1dcb6 66146->66147 66148 6bd1dccf 66146->66148 66151 6bd1dc69 _Yarn 66146->66151 66149 6be96fb3 std::_Facet_Register 4 API calls 66147->66149 66150 6be96fb3 std::_Facet_Register 4 API calls 66148->66150 66149->66151 66150->66151 66152 6be95ed0 104 API calls 66151->66152 66154 6bd1dd1c std::ios_base::_Ios_base_dtor 66152->66154 66153 6be95560 4 API calls 66153->66085 66154->66001 66154->66153 66156 6be96fb8 66155->66156 66157 6be96fd2 66156->66157 66160 6be96fd4 std::_Facet_Register 66156->66160 66269 6be9f584 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66156->66269 66157->65999 66159 6be97e33 std::_Facet_Register 66273 6be998e9 RaiseException 66159->66273 66160->66159 66270 6be998e9 RaiseException 66160->66270 66162 6be9862c IsProcessorFeaturePresent 66164 6be98651 66162->66164 66164->65999 66165 6be97df3 66271 6be998e9 RaiseException 66165->66271 66167 6be97e13 std::invalid_argument::invalid_argument 66272 6be998e9 RaiseException 66167->66272 66170 6be8b444 66169->66170 66171 6be8b446 FindFirstFileA 66169->66171 66170->66171 66172 6be8b480 66171->66172 66173 6be8b484 FindClose 66172->66173 66174 6be8b4e2 66172->66174 66173->66172 66174->66005 66176 6be956c6 66175->66176 66177 6be95758 OpenServiceA 66176->66177 66178 6be9579f 66176->66178 66177->66176 66178->66050 66185 6be80913 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 66179->66185 66180 6be844cf CloseHandle 66180->66185 66181 6be8367e CloseHandle 66181->66185 66182 6be6c750 WriteFile WriteFile WriteFile ReadFile 66182->66185 66183 6be82a8b CloseHandle 66183->66185 66184 6bd237cb 66187 6be962d0 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 66184->66187 66185->66180 66185->66181 66185->66182 66185->66183 66185->66184 66274 6be6bca0 66185->66274 66187->66016 66189 6bd36bd5 66188->66189 66285 6bd62020 66189->66285 66191 6bd36c68 66192 6be96fb3 std::_Facet_Register 4 API calls 66191->66192 66193 6bd36ca0 66192->66193 66302 6be97897 66193->66302 66195 6bd36cb4 66314 6bd61d90 66195->66314 66198 6bd36d8e 66198->66061 66200 6bd36dc8 66322 6bd626e0 24 API calls 4 library calls 66200->66322 66202 6bd36dda 66323 6be998e9 RaiseException 66202->66323 66204 6bd36def 66205 6bd5e010 67 API calls 66204->66205 66206 6bd36e0f 66205->66206 66206->66061 66208 6bd36e9f 66207->66208 66211 6bd36eb3 66208->66211 66718 6bd63560 32 API calls std::_Xinvalid_argument 66208->66718 66212 6bd36f5b 66211->66212 66720 6bd62250 30 API calls 66211->66720 66721 6bd626e0 24 API calls 4 library calls 66211->66721 66722 6be998e9 RaiseException 66211->66722 66213 6bd36f6e 66212->66213 66719 6bd637e0 32 API calls std::_Xinvalid_argument 66212->66719 66213->66061 66218 6bd3709e 66217->66218 66222 6bd370d1 66217->66222 66723 6bd601f0 66218->66723 66220 6bd37183 66220->66050 66222->66220 66727 6bd62250 30 API calls 66222->66727 66223 6bea1088 67 API calls 66223->66222 66225 6bd371ae 66728 6bd62340 24 API calls 66225->66728 66227 6bd371be 66729 6be998e9 RaiseException 66227->66729 66229 6bd371c9 66231 6bd5e04b 66230->66231 66232 6bd5e0a3 66231->66232 66233 6bd601f0 64 API calls 66231->66233 66232->66050 66234 6bd5e098 66233->66234 66235 6bea1088 67 API calls 66234->66235 66235->66232 66236->66045 66238 6be9563a 66237->66238 66239 6be955f0 WaitForSingleObject CloseHandle CloseHandle 66238->66239 66240 6be95653 66238->66240 66239->66238 66240->66054 66241->66065 66243 6be95f27 66242->66243 66775 6be96560 66243->66775 66245 6be95f38 66246 6bd36ba0 104 API calls 66245->66246 66250 6be95f5c 66246->66250 66247 6bd5e010 67 API calls 66248 6be9600f std::ios_base::_Ios_base_dtor 66247->66248 66251 6bd5e010 67 API calls 66248->66251 66252 6be95fc4 66250->66252 66258 6be95fd7 66250->66258 66794 6be968b0 66250->66794 66802 6bd72370 66250->66802 66256 6be96052 std::ios_base::_Ios_base_dtor 66251->66256 66812 6be96100 66252->66812 66255 6be95fcc 66257 6bd37090 77 API calls 66255->66257 66256->66104 66257->66258 66258->66247 66259->66094 66263 6be95810 std::locale::_Setgloballocale 66260->66263 66261 6be957e7 CloseHandle 66261->66263 66262 6be95890 Process32NextW 66262->66263 66263->66261 66263->66262 66264 6be95921 66263->66264 66265 6be958b5 Process32FirstW 66263->66265 66264->66022 66265->66263 66266->66041 66268->66023 66269->66156 66270->66165 66271->66167 66272->66159 66273->66162 66275 6be6bcb3 _Yarn __wsopen_s std::locale::_Setgloballocale 66274->66275 66276 6be6c6f0 66275->66276 66278 6be6c25d CreateFileA 66275->66278 66279 6be6afa0 66275->66279 66276->66185 66278->66275 66282 6be6afb3 __wsopen_s std::locale::_Setgloballocale 66279->66282 66280 6be6b959 WriteFile 66280->66282 66281 6be6b9ad WriteFile 66281->66282 66282->66280 66282->66281 66283 6be6bc88 66282->66283 66284 6be6b105 ReadFile 66282->66284 66283->66275 66284->66282 66286 6be96fb3 std::_Facet_Register 4 API calls 66285->66286 66287 6bd6207e 66286->66287 66288 6be97897 43 API calls 66287->66288 66289 6bd62092 66288->66289 66324 6bd62f60 42 API calls 4 library calls 66289->66324 66291 6bd6210d 66294 6bd62120 66291->66294 66325 6be974fe 9 API calls 2 library calls 66291->66325 66292 6bd620c8 66292->66291 66293 6bd62136 66292->66293 66326 6bd62250 30 API calls 66293->66326 66294->66191 66297 6bd6215b 66327 6bd62340 24 API calls 66297->66327 66299 6bd62171 66328 6be998e9 RaiseException 66299->66328 66301 6bd6217c 66301->66191 66303 6be978a3 __EH_prolog3 66302->66303 66329 6be97425 66303->66329 66308 6be978c1 66343 6be9792a 39 API calls std::locale::_Setgloballocale 66308->66343 66309 6be978df 66335 6be97456 66309->66335 66310 6be9791c 66310->66195 66312 6be978c9 66344 6be97721 HeapFree GetLastError _Yarn 66312->66344 66315 6bd36d5d 66314->66315 66316 6bd61ddc 66314->66316 66315->66198 66321 6bd62250 30 API calls 66315->66321 66349 6be979b7 66316->66349 66320 6bd61e82 66321->66200 66322->66202 66323->66204 66324->66292 66325->66294 66326->66297 66327->66299 66328->66301 66330 6be9743b 66329->66330 66331 6be97434 66329->66331 66333 6be97439 66330->66333 66346 6be98afb EnterCriticalSection 66330->66346 66345 6bea093d 6 API calls std::_Lockit::_Lockit 66331->66345 66333->66309 66342 6be977a0 6 API calls 2 library calls 66333->66342 66336 6bea094b 66335->66336 66337 6be97460 66335->66337 66348 6bea0926 LeaveCriticalSection 66336->66348 66338 6be97473 66337->66338 66347 6be98b09 LeaveCriticalSection 66337->66347 66338->66310 66340 6bea0952 66340->66310 66342->66308 66343->66312 66344->66309 66345->66333 66346->66333 66347->66338 66348->66340 66350 6be979c0 66349->66350 66351 6bd61dea 66350->66351 66358 6bea02ba 66350->66358 66351->66315 66357 6be9cad3 18 API calls __cftoe 66351->66357 66353 6be97a0c 66353->66351 66369 6be9ffc8 65 API calls 66353->66369 66355 6be97a27 66355->66351 66370 6bea1088 66355->66370 66357->66320 66360 6bea02c5 __wsopen_s 66358->66360 66359 6bea02d8 66395 6bea0690 18 API calls __cftoe 66359->66395 66360->66359 66361 6bea02f8 66360->66361 66365 6bea02e8 66361->66365 66381 6beab37c 66361->66381 66365->66353 66369->66355 66371 6bea1094 __wsopen_s 66370->66371 66372 6bea10b3 66371->66372 66374 6bea109e 66371->66374 66380 6bea10ae 66372->66380 66576 6be9cb19 EnterCriticalSection 66372->66576 66591 6bea0690 18 API calls __cftoe 66374->66591 66375 6bea10d0 66577 6bea110c 66375->66577 66378 6bea10db 66592 6bea1102 LeaveCriticalSection 66378->66592 66380->66351 66382 6beab388 __wsopen_s 66381->66382 66397 6bea090f EnterCriticalSection 66382->66397 66384 6beab396 66398 6beab420 66384->66398 66389 6beab4e2 66390 6beab601 66389->66390 66422 6beab684 66390->66422 66393 6bea033c 66396 6bea0365 LeaveCriticalSection 66393->66396 66395->66365 66396->66365 66397->66384 66406 6beab443 66398->66406 66399 6beab3a3 66412 6beab3dc 66399->66412 66400 6beab49b 66417 6bea7755 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 66400->66417 66403 6beab4a4 66418 6bea4d2b HeapFree GetLastError __dosmaperr 66403->66418 66405 6beab4ad 66405->66399 66419 6bea718f 6 API calls std::_Lockit::_Lockit 66405->66419 66406->66399 66406->66400 66406->66406 66415 6be9cb19 EnterCriticalSection 66406->66415 66416 6be9cb2d LeaveCriticalSection 66406->66416 66408 6beab4cc 66420 6be9cb19 EnterCriticalSection 66408->66420 66411 6beab4df 66411->66399 66421 6bea0926 LeaveCriticalSection 66412->66421 66414 6bea0313 66414->66365 66414->66389 66415->66406 66416->66406 66417->66403 66418->66405 66419->66408 66420->66411 66421->66414 66423 6beab6a3 66422->66423 66424 6beab6b6 66423->66424 66427 6beab6cb 66423->66427 66438 6bea0690 18 API calls __cftoe 66424->66438 66426 6beab7eb 66428 6beab617 66426->66428 66442 6bea0690 18 API calls __cftoe 66426->66442 66427->66426 66439 6beb4418 37 API calls __cftoe 66427->66439 66428->66393 66435 6beb454e 66428->66435 66431 6beab83b 66431->66426 66440 6beb4418 37 API calls __cftoe 66431->66440 66433 6beab859 66433->66426 66441 6beb4418 37 API calls __cftoe 66433->66441 66443 6beb4906 66435->66443 66438->66428 66439->66431 66440->66433 66441->66426 66442->66428 66445 6beb4912 __wsopen_s 66443->66445 66444 6beb4919 66461 6bea0690 18 API calls __cftoe 66444->66461 66445->66444 66446 6beb4944 66445->66446 66452 6beb456e 66446->66452 66451 6beb4569 66451->66393 66463 6bea0c3b 66452->66463 66457 6beb45a4 66459 6beb45d6 66457->66459 66503 6bea4d2b HeapFree GetLastError __dosmaperr 66457->66503 66462 6beb499b LeaveCriticalSection __wsopen_s 66459->66462 66461->66451 66462->66451 66504 6be9c25b 66463->66504 66466 6bea0c5f 66468 6be9c366 66466->66468 66513 6be9c3be 66468->66513 66470 6be9c37e 66470->66457 66471 6beb45dc 66470->66471 66528 6beb4a5c 66471->66528 66476 6beb460e __dosmaperr 66476->66457 66478 6beb4702 GetFileType 66479 6beb470d GetLastError 66478->66479 66480 6beb4754 66478->66480 66557 6be9ff62 __dosmaperr 66479->66557 66558 6beb1d20 SetStdHandle __dosmaperr __wsopen_s 66480->66558 66481 6beb46d7 GetLastError 66481->66476 66483 6beb4685 66483->66478 66483->66481 66556 6beb49c7 CreateFileW 66483->66556 66484 6beb471b CloseHandle 66484->66476 66499 6beb4744 66484->66499 66487 6beb46ca 66487->66478 66487->66481 66488 6beb4775 66492 6beb47c1 66488->66492 66559 6beb4bd6 70 API calls 2 library calls 66488->66559 66491 6beb47f6 66493 6beb47c8 66491->66493 66494 6beb4804 66491->66494 66492->66493 66573 6beb4c80 70 API calls 2 library calls 66492->66573 66560 6beabe95 66493->66560 66494->66476 66496 6beb4880 CloseHandle 66494->66496 66574 6beb49c7 CreateFileW 66496->66574 66498 6beb48ab 66498->66499 66500 6beb48b5 GetLastError 66498->66500 66499->66476 66501 6beb48c1 __dosmaperr 66500->66501 66575 6beb1c8f SetStdHandle __dosmaperr __wsopen_s 66501->66575 66503->66459 66505 6be9c272 66504->66505 66506 6be9c27b 66504->66506 66505->66466 66512 6bea6f45 5 API calls std::_Lockit::_Lockit 66505->66512 66506->66505 66507 6bea4f22 __Getctype 37 API calls 66506->66507 66508 6be9c29b 66507->66508 66509 6bea5498 __Getctype 37 API calls 66508->66509 66510 6be9c2b1 66509->66510 66511 6bea54c5 __cftoe 37 API calls 66510->66511 66511->66505 66512->66466 66514 6be9c3cc 66513->66514 66515 6be9c3e6 66513->66515 66518 6be9c34c __wsopen_s HeapFree GetLastError 66514->66518 66516 6be9c3ed 66515->66516 66517 6be9c40c 66515->66517 66520 6be9c30d __wsopen_s HeapFree GetLastError 66516->66520 66524 6be9c3d6 __dosmaperr 66516->66524 66519 6bea4db3 __fassign MultiByteToWideChar 66517->66519 66518->66524 66521 6be9c41b 66519->66521 66520->66524 66522 6be9c422 GetLastError 66521->66522 66523 6be9c448 66521->66523 66525 6be9c30d __wsopen_s HeapFree GetLastError 66521->66525 66522->66524 66523->66524 66526 6bea4db3 __fassign MultiByteToWideChar 66523->66526 66524->66470 66525->66523 66527 6be9c45f 66526->66527 66527->66522 66527->66524 66529 6beb4a97 66528->66529 66531 6beb4a7d 66528->66531 66530 6beb49ec __wsopen_s 18 API calls 66529->66530 66535 6beb4acf 66530->66535 66531->66529 66532 6bea0690 __cftoe 18 API calls 66531->66532 66532->66529 66533 6beb4afe 66534 6beb5e81 __wsopen_s 18 API calls 66533->66534 66540 6beb45f9 66533->66540 66536 6beb4b4c 66534->66536 66535->66533 66538 6bea0690 __cftoe 18 API calls 66535->66538 66537 6beb4bc9 66536->66537 66536->66540 66539 6bea06bd __Getctype 11 API calls 66537->66539 66538->66533 66541 6beb4bd5 66539->66541 66540->66476 66542 6beb1b7c 66540->66542 66543 6beb1b88 __wsopen_s 66542->66543 66544 6bea090f std::_Lockit::_Lockit EnterCriticalSection 66543->66544 66545 6beb1b8f 66544->66545 66546 6beb1bb4 66545->66546 66551 6beb1c23 EnterCriticalSection 66545->66551 66554 6beb1bd6 66545->66554 66549 6beb1db2 __wsopen_s 11 API calls 66546->66549 66547 6beb1c86 __wsopen_s LeaveCriticalSection 66548 6beb1bf6 66547->66548 66548->66476 66555 6beb49c7 CreateFileW 66548->66555 66550 6beb1bb9 66549->66550 66553 6beb1f00 __wsopen_s EnterCriticalSection 66550->66553 66550->66554 66552 6beb1c30 LeaveCriticalSection 66551->66552 66551->66554 66552->66545 66553->66554 66554->66547 66555->66483 66556->66487 66557->66484 66558->66488 66559->66492 66561 6beb1b12 __wsopen_s 18 API calls 66560->66561 66564 6beabea5 66561->66564 66562 6beabeab 66563 6beb1c8f __wsopen_s SetStdHandle 66562->66563 66572 6beabf03 __dosmaperr 66563->66572 66564->66562 66565 6beabedd 66564->66565 66566 6beb1b12 __wsopen_s 18 API calls 66564->66566 66565->66562 66567 6beb1b12 __wsopen_s 18 API calls 66565->66567 66568 6beabed4 66566->66568 66569 6beabee9 CloseHandle 66567->66569 66570 6beb1b12 __wsopen_s 18 API calls 66568->66570 66569->66562 66571 6beabef5 GetLastError 66569->66571 66570->66565 66571->66562 66572->66476 66573->66491 66574->66498 66575->66499 66576->66375 66578 6bea112e 66577->66578 66579 6bea1119 66577->66579 66583 6bea1129 66578->66583 66593 6bea1229 66578->66593 66615 6bea0690 18 API calls __cftoe 66579->66615 66583->66378 66587 6bea1151 66608 6beabe08 66587->66608 66589 6bea1157 66589->66583 66616 6bea4d2b HeapFree GetLastError __dosmaperr 66589->66616 66591->66380 66592->66380 66594 6bea1241 66593->66594 66598 6bea1143 66593->66598 66595 6beaa1d0 18 API calls 66594->66595 66594->66598 66596 6bea125f 66595->66596 66617 6beac0dc 66596->66617 66599 6bea8cae 66598->66599 66600 6bea114b 66599->66600 66601 6bea8cc5 66599->66601 66603 6beaa1d0 66600->66603 66601->66600 66705 6bea4d2b HeapFree GetLastError __dosmaperr 66601->66705 66604 6beaa1dc 66603->66604 66605 6beaa1f1 66603->66605 66706 6bea0690 18 API calls __cftoe 66604->66706 66605->66587 66607 6beaa1ec 66607->66587 66609 6beabe2e 66608->66609 66613 6beabe19 __dosmaperr 66608->66613 66610 6beabe55 66609->66610 66611 6beabe77 __dosmaperr 66609->66611 66707 6beabf31 66610->66707 66715 6bea0690 18 API calls __cftoe 66611->66715 66613->66589 66615->66583 66616->66583 66619 6beac0e8 __wsopen_s 66617->66619 66618 6beac0f0 __dosmaperr 66618->66598 66619->66618 66620 6beac1a3 __dosmaperr 66619->66620 66621 6beac13a 66619->66621 66658 6bea0690 18 API calls __cftoe 66620->66658 66628 6beb1f00 EnterCriticalSection 66621->66628 66623 6beac140 66626 6beac15c __dosmaperr 66623->66626 66629 6beac1ce 66623->66629 66657 6beac19b LeaveCriticalSection __wsopen_s 66626->66657 66628->66623 66630 6beac1f0 66629->66630 66656 6beac20c __dosmaperr 66629->66656 66631 6beac244 66630->66631 66633 6beac1f4 __dosmaperr 66630->66633 66632 6beac257 66631->66632 66667 6beab1d9 20 API calls __wsopen_s 66631->66667 66659 6beac3b0 66632->66659 66666 6bea0690 18 API calls __cftoe 66633->66666 66638 6beac2ac 66640 6beac2c0 66638->66640 66641 6beac305 WriteFile 66638->66641 66639 6beac26d 66642 6beac271 66639->66642 66643 6beac296 66639->66643 66646 6beac2cb 66640->66646 66647 6beac2f5 66640->66647 66644 6beac329 GetLastError 66641->66644 66641->66656 66642->66656 66668 6beac7cb 6 API calls __wsopen_s 66642->66668 66669 6beac421 43 API calls 5 library calls 66643->66669 66644->66656 66648 6beac2d0 66646->66648 66649 6beac2e5 66646->66649 66672 6beac833 7 API calls 2 library calls 66647->66672 66652 6beac2d5 66648->66652 66648->66656 66671 6beac9f7 8 API calls 3 library calls 66649->66671 66670 6beac90e 7 API calls 2 library calls 66652->66670 66654 6beac2e3 66654->66656 66656->66626 66657->66618 66658->66618 66673 6beb1f55 66659->66673 66661 6beac268 66661->66638 66661->66639 66662 6beac3c1 66662->66661 66678 6bea4f22 GetLastError 66662->66678 66665 6beac3fe GetConsoleMode 66665->66661 66666->66656 66667->66632 66668->66656 66669->66656 66670->66654 66671->66654 66672->66654 66674 6beb1f62 66673->66674 66676 6beb1f6f 66673->66676 66674->66662 66675 6beb1f7b 66675->66662 66676->66675 66677 6bea0690 __cftoe 18 API calls 66676->66677 66677->66674 66679 6bea4f39 66678->66679 66682 6bea4f3f 66678->66682 66680 6bea7093 __Getctype 6 API calls 66679->66680 66680->66682 66681 6bea70d2 __Getctype 6 API calls 66683 6bea4f5d 66681->66683 66682->66681 66684 6bea4f45 SetLastError 66682->66684 66683->66684 66685 6bea4f61 66683->66685 66691 6bea4fd9 66684->66691 66692 6bea4fd3 66684->66692 66686 6bea7755 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 66685->66686 66688 6bea4f6d 66686->66688 66689 6bea4f8c 66688->66689 66690 6bea4f75 66688->66690 66694 6bea70d2 __Getctype 6 API calls 66689->66694 66695 6bea70d2 __Getctype 6 API calls 66690->66695 66693 6bea1039 __Getctype 35 API calls 66691->66693 66692->66661 66692->66665 66696 6bea4fde 66693->66696 66697 6bea4f98 66694->66697 66698 6bea4f83 66695->66698 66699 6bea4f9c 66697->66699 66700 6bea4fad 66697->66700 66701 6bea4d2b _free HeapFree GetLastError 66698->66701 66702 6bea70d2 __Getctype 6 API calls 66699->66702 66704 6bea4d2b _free HeapFree GetLastError 66700->66704 66703 6bea4f89 66701->66703 66702->66698 66703->66684 66704->66703 66705->66600 66706->66607 66708 6beabf3d __wsopen_s 66707->66708 66716 6beb1f00 EnterCriticalSection 66708->66716 66710 6beabf4b 66711 6beabe95 __wsopen_s 21 API calls 66710->66711 66712 6beabf78 66710->66712 66711->66712 66717 6beabfb1 LeaveCriticalSection __wsopen_s 66712->66717 66714 6beabf9a 66714->66613 66715->66613 66716->66710 66717->66714 66718->66211 66719->66213 66720->66211 66721->66211 66722->66211 66724 6bd6022e 66723->66724 66725 6bd370c4 66724->66725 66730 6bea1d4b 66724->66730 66725->66223 66727->66225 66728->66227 66729->66229 66731 6bea1d59 66730->66731 66732 6bea1d76 66730->66732 66731->66732 66733 6bea1d7a 66731->66733 66734 6bea1d66 66731->66734 66732->66724 66738 6bea1f72 66733->66738 66746 6bea0690 18 API calls __cftoe 66734->66746 66739 6bea1f7e __wsopen_s 66738->66739 66747 6be9cb19 EnterCriticalSection 66739->66747 66741 6bea1f8c 66748 6bea1f2f 66741->66748 66745 6bea1dac 66745->66724 66746->66732 66747->66741 66756 6bea8b16 66748->66756 66754 6bea1f69 66755 6bea1fc1 LeaveCriticalSection 66754->66755 66755->66745 66757 6beaa1d0 18 API calls 66756->66757 66758 6bea8b27 66757->66758 66759 6beb1f55 __wsopen_s 18 API calls 66758->66759 66761 6bea8b2d __wsopen_s 66759->66761 66760 6bea1f43 66763 6bea1dae 66760->66763 66761->66760 66773 6bea4d2b HeapFree GetLastError __dosmaperr 66761->66773 66765 6bea1dc0 66763->66765 66767 6bea1dde 66763->66767 66764 6bea1dce 66774 6bea0690 18 API calls __cftoe 66764->66774 66765->66764 66765->66767 66770 6bea1df6 _Yarn 66765->66770 66772 6bea8bc9 62 API calls 66767->66772 66768 6bea1229 62 API calls 66768->66770 66769 6beaa1d0 18 API calls 66769->66770 66770->66767 66770->66768 66770->66769 66771 6beac0dc __wsopen_s 62 API calls 66770->66771 66771->66770 66772->66754 66773->66760 66774->66767 66776 6be96595 66775->66776 66777 6bd62020 52 API calls 66776->66777 66778 6be96636 66777->66778 66779 6be96fb3 std::_Facet_Register 4 API calls 66778->66779 66780 6be9666e 66779->66780 66781 6be97897 43 API calls 66780->66781 66782 6be96682 66781->66782 66783 6bd61d90 89 API calls 66782->66783 66784 6be9672b 66783->66784 66785 6be9675c 66784->66785 66827 6bd62250 30 API calls 66784->66827 66785->66245 66787 6be96796 66828 6bd626e0 24 API calls 4 library calls 66787->66828 66789 6be967a8 66829 6be998e9 RaiseException 66789->66829 66791 6be967bd 66792 6bd5e010 67 API calls 66791->66792 66793 6be967cf 66792->66793 66793->66245 66795 6be968fd 66794->66795 66830 6be96b10 66795->66830 66797 6be969ec 66797->66250 66799 6be96915 66799->66797 66848 6bd62250 30 API calls 66799->66848 66849 6bd626e0 24 API calls 4 library calls 66799->66849 66850 6be998e9 RaiseException 66799->66850 66803 6bd723af 66802->66803 66806 6bd723c3 66803->66806 66859 6bd63560 32 API calls std::_Xinvalid_argument 66803->66859 66807 6bd7247e 66806->66807 66861 6bd62250 30 API calls 66806->66861 66862 6bd626e0 24 API calls 4 library calls 66806->66862 66863 6be998e9 RaiseException 66806->66863 66810 6bd72491 66807->66810 66860 6bd637e0 32 API calls std::_Xinvalid_argument 66807->66860 66810->66250 66813 6be9610e 66812->66813 66814 6be96141 66812->66814 66816 6bd601f0 64 API calls 66813->66816 66815 6be961f3 66814->66815 66864 6bd62250 30 API calls 66814->66864 66815->66255 66817 6be96134 66816->66817 66819 6bea1088 67 API calls 66817->66819 66819->66814 66820 6be9621e 66865 6bd62340 24 API calls 66820->66865 66822 6be9622e 66866 6be998e9 RaiseException 66822->66866 66824 6be96239 66825 6bd5e010 67 API calls 66824->66825 66826 6be96292 std::ios_base::_Ios_base_dtor 66825->66826 66826->66255 66827->66787 66828->66789 66829->66791 66831 6be96b78 66830->66831 66832 6be96b4c 66830->66832 66838 6be96b89 66831->66838 66851 6bd63560 32 API calls std::_Xinvalid_argument 66831->66851 66833 6be96b71 66832->66833 66853 6bd62250 30 API calls 66832->66853 66833->66799 66836 6be96d58 66854 6bd62340 24 API calls 66836->66854 66838->66833 66852 6bd62f60 42 API calls 4 library calls 66838->66852 66839 6be96d67 66855 6be998e9 RaiseException 66839->66855 66843 6be96d97 66857 6bd62340 24 API calls 66843->66857 66845 6be96dad 66858 6be998e9 RaiseException 66845->66858 66847 6be96bc3 66847->66833 66856 6bd62250 30 API calls 66847->66856 66848->66799 66849->66799 66850->66799 66851->66838 66852->66847 66853->66836 66854->66839 66855->66847 66856->66843 66857->66845 66858->66833 66859->66806 66860->66810 66861->66806 66862->66806 66863->66806 66864->66820 66865->66822 66866->66824 66867 6bd13d62 66869 6bd13bc0 66867->66869 66868 6bd13e8a GetCurrentThread NtSetInformationThread 66870 6bd13eea 66868->66870 66869->66868 66871 6bd24a27 66873 6bd24a5d _strlen 66871->66873 66872 6bd3639e 66962 6bea06a0 18 API calls 2 library calls 66872->66962 66873->66872 66874 6bd25b58 66873->66874 66875 6bd25b6f 66873->66875 66879 6bd25b09 _Yarn 66873->66879 66877 6be96fb3 std::_Facet_Register 4 API calls 66874->66877 66878 6be96fb3 std::_Facet_Register 4 API calls 66875->66878 66877->66879 66878->66879 66880 6be8b430 2 API calls 66879->66880 66882 6bd25bad std::ios_base::_Ios_base_dtor 66880->66882 66881 6be95560 4 API calls 66891 6bd261cb _strlen 66881->66891 66882->66872 66882->66881 66885 6bd29ba5 std::ios_base::_Ios_base_dtor _Yarn _strlen 66882->66885 66883 6be96fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66883->66885 66884 6be8b430 2 API calls 66884->66885 66885->66872 66885->66883 66885->66884 66886 6bd2a292 Sleep 66885->66886 66905 6bd2e619 66885->66905 66961 6bd29bb1 std::ios_base::_Ios_base_dtor _Yarn _strlen 66886->66961 66887 6bd26624 66890 6be96fb3 std::_Facet_Register 4 API calls 66887->66890 66888 6bd2660d 66889 6be96fb3 std::_Facet_Register 4 API calls 66888->66889 66897 6bd265bc _Yarn _strlen 66889->66897 66890->66897 66891->66872 66891->66887 66891->66888 66891->66897 66892 6be95560 CreateProcessA WaitForSingleObject CloseHandle CloseHandle 66892->66961 66893 6bd363b2 66963 6bd115e0 18 API calls std::ios_base::_Ios_base_dtor 66893->66963 66894 6bd29bbd GetCurrentProcess TerminateProcess 66894->66885 66896 6bd364f8 66897->66893 66898 6bd26970 66897->66898 66899 6bd26989 66897->66899 66902 6bd26920 _Yarn 66897->66902 66900 6be96fb3 std::_Facet_Register 4 API calls 66898->66900 66901 6be96fb3 std::_Facet_Register 4 API calls 66899->66901 66900->66902 66901->66902 66903 6be95ed0 104 API calls 66902->66903 66906 6bd269d6 std::ios_base::_Ios_base_dtor _strlen 66903->66906 66904 6bd2f243 CreateFileA 66920 6bd2f2a7 66904->66920 66905->66904 66906->66872 66907 6bd26dd2 66906->66907 66908 6bd26dbb 66906->66908 66919 6bd26d69 _Yarn _strlen 66906->66919 66910 6be96fb3 std::_Facet_Register 4 API calls 66907->66910 66909 6be96fb3 std::_Facet_Register 4 API calls 66908->66909 66909->66919 66910->66919 66911 6bd302ca 66912 6bd27440 66915 6be96fb3 std::_Facet_Register 4 API calls 66912->66915 66913 6bd27427 66914 6be96fb3 std::_Facet_Register 4 API calls 66913->66914 66916 6bd273da _Yarn 66914->66916 66915->66916 66918 6be95ed0 104 API calls 66916->66918 66917 6bd302ac GetCurrentProcess TerminateProcess 66917->66911 66921 6bd2748d std::ios_base::_Ios_base_dtor _strlen 66918->66921 66919->66893 66919->66912 66919->66913 66919->66916 66920->66911 66920->66917 66921->66872 66922 6bd27991 66921->66922 66923 6bd279a8 66921->66923 66927 6bd27940 _Yarn _strlen 66921->66927 66925 6be96fb3 std::_Facet_Register 4 API calls 66922->66925 66926 6be96fb3 std::_Facet_Register 4 API calls 66923->66926 66924 6be96fb3 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 66924->66961 66925->66927 66926->66927 66927->66893 66928 6bd27de2 66927->66928 66929 6bd27dc9 66927->66929 66932 6bd27d7c _Yarn 66927->66932 66930 6be96fb3 std::_Facet_Register 4 API calls 66928->66930 66931 6be96fb3 std::_Facet_Register 4 API calls 66929->66931 66930->66932 66931->66932 66933 6be95ed0 104 API calls 66932->66933 66934 6bd27e2f std::ios_base::_Ios_base_dtor _strlen 66933->66934 66934->66872 66935 6bd285a8 66934->66935 66936 6bd285bf 66934->66936 66939 6bd28556 _Yarn _strlen 66934->66939 66937 6be96fb3 std::_Facet_Register 4 API calls 66935->66937 66938 6be96fb3 std::_Facet_Register 4 API calls 66936->66938 66937->66939 66938->66939 66939->66893 66940 6bd28983 66939->66940 66941 6bd2896a 66939->66941 66944 6bd2891d _Yarn 66939->66944 66943 6be96fb3 std::_Facet_Register 4 API calls 66940->66943 66942 6be96fb3 std::_Facet_Register 4 API calls 66941->66942 66942->66944 66943->66944 66945 6be95ed0 104 API calls 66944->66945 66948 6bd289d0 std::ios_base::_Ios_base_dtor _strlen 66945->66948 66946 6bd28f36 66950 6be96fb3 std::_Facet_Register 4 API calls 66946->66950 66947 6bd28f1f 66949 6be96fb3 std::_Facet_Register 4 API calls 66947->66949 66948->66872 66948->66946 66948->66947 66951 6bd28ecd _Yarn _strlen 66948->66951 66949->66951 66950->66951 66951->66893 66952 6bd29354 66951->66952 66953 6bd2936d 66951->66953 66956 6bd29307 _Yarn 66951->66956 66954 6be96fb3 std::_Facet_Register 4 API calls 66952->66954 66955 6be96fb3 std::_Facet_Register 4 API calls 66953->66955 66954->66956 66955->66956 66957 6be95ed0 104 API calls 66956->66957 66960 6bd293ba std::ios_base::_Ios_base_dtor 66957->66960 66958 6be95560 4 API calls 66958->66885 66959 6be95ed0 104 API calls 66959->66961 66960->66872 66960->66958 66961->66872 66961->66885 66961->66892 66961->66893 66961->66894 66961->66924 66961->66959 66963->66896 66964 6be9f4af 66965 6be9f4bb __wsopen_s 66964->66965 66966 6be9f4cf 66965->66966 66967 6be9f4c2 GetLastError ExitThread 66965->66967 66968 6bea4f22 __Getctype 37 API calls 66966->66968 66969 6be9f4d4 66968->66969 66976 6beaa2d6 66969->66976 66973 6be9f4eb 66982 6be9f41a 16 API calls 2 library calls 66973->66982 66975 6be9f50d 66977 6beaa2e8 GetPEB 66976->66977 66978 6be9f4df 66976->66978 66977->66978 66979 6beaa2fb 66977->66979 66978->66973 66981 6bea72df 5 API calls std::_Lockit::_Lockit 66978->66981 66983 6bea7388 5 API calls std::_Lockit::_Lockit 66979->66983 66981->66973 66982->66975 66983->66978 66984 6bead043 66985 6bead06d 66984->66985 66986 6bead055 __dosmaperr 66984->66986 66985->66986 66988 6bead0e7 66985->66988 66989 6bead0b8 __dosmaperr 66985->66989 66990 6bead100 66988->66990 66991 6bead11b __dosmaperr 66988->66991 66994 6bead157 __wsopen_s 66988->66994 67026 6bea0690 18 API calls __cftoe 66989->67026 66990->66991 66993 6bead105 66990->66993 67019 6bea0690 18 API calls __cftoe 66991->67019 66992 6beb1f55 __wsopen_s 18 API calls 66995 6bead2ae 66992->66995 66993->66992 67020 6bea4d2b HeapFree GetLastError __dosmaperr 66994->67020 66998 6bead324 66995->66998 67001 6bead2c7 GetConsoleMode 66995->67001 67000 6bead328 ReadFile 66998->67000 66999 6bead177 67021 6bea4d2b HeapFree GetLastError __dosmaperr 66999->67021 67003 6bead39c GetLastError 67000->67003 67004 6bead342 67000->67004 67001->66998 67005 6bead2d8 67001->67005 67017 6bead132 __dosmaperr __wsopen_s 67003->67017 67004->67003 67007 6bead319 67004->67007 67005->67000 67008 6bead2de ReadConsoleW 67005->67008 67006 6bead17e 67006->67017 67022 6beab1d9 20 API calls __wsopen_s 67006->67022 67012 6bead37e 67007->67012 67013 6bead367 67007->67013 67007->67017 67008->67007 67010 6bead2fa GetLastError 67008->67010 67010->67017 67015 6bead395 67012->67015 67012->67017 67024 6bead46e 23 API calls 3 library calls 67013->67024 67025 6bead726 21 API calls __wsopen_s 67015->67025 67023 6bea4d2b HeapFree GetLastError __dosmaperr 67017->67023 67018 6bead39a 67018->67017 67019->67017 67020->66999 67021->67006 67022->66993 67023->66986 67024->67017 67025->67018 67026->66986

                            Executed Functions

                            Function 6BD14754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: HR^
                            • API String ID: 4218353326-1341859651
                            • Opcode ID: 2b82b040af3b69e3cd8ed3179cef82bae79f21b7fe99052412924fbcc4e9b571
                            • Instruction ID: 9d973ffbac8d87a373e0172f73d11a3af74d4029e701b26268b6559b3ca0bfc8
                            • Opcode Fuzzy Hash: 2b82b040af3b69e3cd8ed3179cef82bae79f21b7fe99052412924fbcc4e9b571
                            • Instruction Fuzzy Hash: C1740771648B02CFC728CF28C8D0695B7E3EF95324B198A6DC0E68F655E778B54ACB50
                            Function 6BD24A27 Relevance: 61.3, APIs: 25, Strings: 3, Instructions: 12265COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: }jk$;T55$L@^
                            • API String ID: 0-4218709813
                            • Opcode ID: 1bd71365a29e05413fc0b9bab0c410eba354e045b6fd8d1dd74ab752aa1382d5
                            • Instruction ID: e34c655c74352ff70e5268ff78197184af53fc8177f625cecd130f36112351ff
                            • Opcode Fuzzy Hash: 1bd71365a29e05413fc0b9bab0c410eba354e045b6fd8d1dd74ab752aa1382d5
                            • Instruction Fuzzy Hash: 65341871644B41CFC728CF28C8D0A95B7E3EF95328B198A6DC1EA4F655E778B44ACB40
                            Function 6BE957B0 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7677 6be957b0-6be957e5 CreateToolhelp32Snapshot 7678 6be95810-6be95819 7677->7678 7679 6be9581b-6be95820 7678->7679 7680 6be95850-6be95855 7678->7680 7683 6be95822-6be95827 7679->7683 7684 6be95885-6be9588a 7679->7684 7681 6be9585b-6be95860 7680->7681 7682 6be958e7-6be95911 call 6bea3175 7680->7682 7685 6be95862-6be95867 7681->7685 7686 6be957e7-6be95802 CloseHandle 7681->7686 7682->7678 7690 6be95829-6be9582e 7683->7690 7691 6be958a4-6be958cd call 6be9be90 Process32FirstW 7683->7691 7687 6be95890-6be958a2 Process32NextW 7684->7687 7688 6be95916-6be9591b 7684->7688 7685->7678 7693 6be95869-6be95883 7685->7693 7686->7678 7694 6be958d2-6be958e2 7687->7694 7688->7678 7697 6be95921-6be9592f 7688->7697 7690->7678 7692 6be95830-6be95841 7690->7692 7691->7694 7692->7678 7693->7678 7694->7678
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6BE957BE
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3332741929-0
                            • Opcode ID: 0c699128741375b529f1dc99438374fabcdfd5fff1d9b9801e0ab02d0217e1be
                            • Instruction ID: 0ad6c8fda4f2eeae3339c7dbae3036e51de75e40990228284386af5638172bad
                            • Opcode Fuzzy Hash: 0c699128741375b529f1dc99438374fabcdfd5fff1d9b9801e0ab02d0217e1be
                            • Instruction Fuzzy Hash: C3316B74518340EBD720AF28D888B0ABBF4AF95749F604D3EE698C73A0D375D85D8B52
                            Function 6BD13886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7821 6bd13886-6bd1388e 7822 6bd13970-6bd1397d 7821->7822 7823 6bd13894-6bd13896 7821->7823 7825 6bd139f1-6bd139f8 7822->7825 7826 6bd1397f-6bd13989 7822->7826 7823->7822 7824 6bd1389c-6bd138b9 7823->7824 7829 6bd138c0-6bd138c1 7824->7829 7827 6bd13ab5-6bd13aba 7825->7827 7828 6bd139fe-6bd13a03 7825->7828 7826->7824 7830 6bd1398f-6bd13994 7826->7830 7827->7824 7834 6bd13ac0-6bd13ac7 7827->7834 7831 6bd138d2-6bd138d4 7828->7831 7832 6bd13a09-6bd13a2f 7828->7832 7833 6bd1395e 7829->7833 7835 6bd13b16-6bd13b18 7830->7835 7836 6bd1399a-6bd1399f 7830->7836 7839 6bd13957-6bd1395c 7831->7839 7837 6bd13a35-6bd13a3a 7832->7837 7838 6bd138f8-6bd13955 7832->7838 7841 6bd13960-6bd13964 7833->7841 7834->7829 7840 6bd13acd-6bd13ad6 7834->7840 7835->7829 7842 6bd139a5-6bd139bf 7836->7842 7843 6bd1383b-6bd13855 call 6be619e0 call 6be619f0 7836->7843 7844 6bd13a40-6bd13a57 7837->7844 7845 6bd13b1d-6bd13b22 7837->7845 7838->7839 7839->7833 7840->7835 7848 6bd13ad8-6bd13aeb 7840->7848 7846 6bd13860-6bd13885 7841->7846 7847 6bd1396a 7841->7847 7850 6bd13a5a-6bd13a5d 7842->7850 7843->7846 7844->7850 7856 6bd13b24-6bd13b44 7845->7856 7857 6bd13b49-6bd13b50 7845->7857 7846->7821 7851 6bd13ba1-6bd13bb6 7847->7851 7848->7838 7854 6bd13af1-6bd13af8 7848->7854 7852 6bd13a87-6bd13aa7 7850->7852 7853 6bd13aa9-6bd13ab0 7850->7853 7861 6bd13bc0-6bd13bda call 6be619e0 call 6be619f0 7851->7861 7852->7853 7853->7841 7862 6bd13b62-6bd13b85 7854->7862 7863 6bd13afa-6bd13aff 7854->7863 7856->7852 7857->7829 7859 6bd13b56-6bd13b5d 7857->7859 7859->7841 7872 6bd13be0-6bd13bfe 7861->7872 7862->7838 7866 6bd13b8b 7862->7866 7863->7839 7866->7851 7875 6bd13c04-6bd13c11 7872->7875 7876 6bd13e7b 7872->7876 7877 6bd13ce0-6bd13cea 7875->7877 7878 6bd13c17-6bd13c20 7875->7878 7879 6bd13e81-6bd13ee0 call 6bd13750 GetCurrentThread NtSetInformationThread 7876->7879 7882 6bd13d3a-6bd13d3c 7877->7882 7883 6bd13cec-6bd13d0c 7877->7883 7880 6bd13dc5 7878->7880 7881 6bd13c26-6bd13c2d 7878->7881 7898 6bd13eea-6bd13f04 call 6be619e0 call 6be619f0 7879->7898 7885 6bd13dc6 7880->7885 7886 6bd13dc3 7881->7886 7887 6bd13c33-6bd13c3a 7881->7887 7889 6bd13d70-6bd13d8d 7882->7889 7890 6bd13d3e-6bd13d45 7882->7890 7888 6bd13d90-6bd13d95 7883->7888 7892 6bd13dc8-6bd13dcc 7885->7892 7886->7880 7893 6bd13c40-6bd13c5b 7887->7893 7894 6bd13e26-6bd13e2b 7887->7894 7896 6bd13d97-6bd13db8 7888->7896 7897 6bd13dba-6bd13dc1 7888->7897 7889->7888 7895 6bd13d50-6bd13d57 7890->7895 7892->7872 7902 6bd13dd2 7892->7902 7901 6bd13e1b-6bd13e24 7893->7901 7899 6bd13e31 7894->7899 7900 6bd13c7b-6bd13cd0 7894->7900 7895->7885 7896->7880 7897->7886 7903 6bd13dd7-6bd13ddc 7897->7903 7915 6bd13f75-6bd13fa1 7898->7915 7899->7861 7900->7895 7901->7892 7907 6bd13e76-6bd13e79 7902->7907 7905 6bd13e36-6bd13e3d 7903->7905 7906 6bd13dde-6bd13e17 7903->7906 7911 6bd13e5c-6bd13e5f 7905->7911 7912 6bd13e3f-6bd13e5a 7905->7912 7906->7901 7907->7879 7911->7900 7914 6bd13e65-6bd13e69 7911->7914 7912->7901 7914->7892 7914->7907 7919 6bd14020-6bd14026 7915->7919 7920 6bd13fa3-6bd13fa8 7915->7920 7921 6bd13f06-6bd13f35 7919->7921 7922 6bd1402c-6bd1403c 7919->7922 7923 6bd1407c-6bd14081 7920->7923 7924 6bd13fae-6bd13fcf 7920->7924 7929 6bd13f38-6bd13f61 7921->7929 7925 6bd140b3-6bd140b8 7922->7925 7926 6bd1403e-6bd14058 7922->7926 7927 6bd14083-6bd1408a 7923->7927 7928 6bd140aa-6bd140ae 7923->7928 7924->7928 7925->7924 7933 6bd140be-6bd140c9 7925->7933 7930 6bd1405a-6bd14063 7926->7930 7927->7929 7931 6bd14090 7927->7931 7932 6bd13f6b-6bd13f6f 7928->7932 7934 6bd13f64-6bd13f67 7929->7934 7936 6bd140f5-6bd1413f 7930->7936 7937 6bd14069-6bd1406c 7930->7937 7931->7898 7932->7915 7933->7928 7938 6bd140cb-6bd140d4 7933->7938 7935 6bd13f69 7934->7935 7935->7932 7936->7935 7940 6bd14072-6bd14077 7937->7940 7941 6bd14144-6bd1414b 7937->7941 7942 6bd140a7 7938->7942 7943 6bd140d6-6bd140f0 7938->7943 7940->7934 7941->7932 7942->7928 7943->7930
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e2a48ef1e40857f31f16fe3a8ee8c9bf6b842ac25f6d1de73cc008c769628f34
                            • Instruction ID: bcc2a812d5ff51fdca89dc74f11395244e19d0b87dd1cc291a4677f75abb918a
                            • Opcode Fuzzy Hash: e2a48ef1e40857f31f16fe3a8ee8c9bf6b842ac25f6d1de73cc008c769628f34
                            • Instruction Fuzzy Hash: 3132C032249B01CFC334CF28D890696B7E3EF913347698A6DC0EA5B695D779B44ACB50
                            Function 6BD13A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7969 6bd13a6a-6bd13a85 7970 6bd13a87-6bd13aa7 7969->7970 7971 6bd13aa9-6bd13ab0 7970->7971 7972 6bd13960-6bd13964 7971->7972 7973 6bd13860-6bd1388e 7972->7973 7974 6bd1396a 7972->7974 7983 6bd13970-6bd1397d 7973->7983 7984 6bd13894-6bd13896 7973->7984 7975 6bd13ba1-6bd13bb6 7974->7975 7978 6bd13bc0-6bd13bda call 6be619e0 call 6be619f0 7975->7978 7994 6bd13be0-6bd13bfe 7978->7994 7987 6bd139f1-6bd139f8 7983->7987 7988 6bd1397f-6bd13989 7983->7988 7984->7983 7986 6bd1389c-6bd138b9 7984->7986 7992 6bd138c0-6bd138c1 7986->7992 7990 6bd13ab5-6bd13aba 7987->7990 7991 6bd139fe-6bd13a03 7987->7991 7988->7986 7993 6bd1398f-6bd13994 7988->7993 7990->7986 7998 6bd13ac0-6bd13ac7 7990->7998 7995 6bd138d2-6bd138d4 7991->7995 7996 6bd13a09-6bd13a2f 7991->7996 7997 6bd1395e 7992->7997 7999 6bd13b16-6bd13b18 7993->7999 8000 6bd1399a-6bd1399f 7993->8000 8009 6bd13c04-6bd13c11 7994->8009 8010 6bd13e7b 7994->8010 8005 6bd13957-6bd1395c 7995->8005 8003 6bd13a35-6bd13a3a 7996->8003 8004 6bd138f8-6bd13955 7996->8004 7997->7972 7998->7992 8006 6bd13acd-6bd13ad6 7998->8006 7999->7992 8007 6bd139a5-6bd139bf 8000->8007 8008 6bd1383b-6bd13855 call 6be619e0 call 6be619f0 8000->8008 8011 6bd13a40-6bd13a57 8003->8011 8012 6bd13b1d-6bd13b22 8003->8012 8004->8005 8005->7997 8006->7999 8013 6bd13ad8-6bd13aeb 8006->8013 8015 6bd13a5a-6bd13a5d 8007->8015 8008->7973 8016 6bd13ce0-6bd13cea 8009->8016 8017 6bd13c17-6bd13c20 8009->8017 8019 6bd13e81-6bd13ee0 call 6bd13750 GetCurrentThread NtSetInformationThread 8010->8019 8011->8015 8021 6bd13b24-6bd13b44 8012->8021 8022 6bd13b49-6bd13b50 8012->8022 8013->8004 8018 6bd13af1-6bd13af8 8013->8018 8015->7970 8015->7971 8026 6bd13d3a-6bd13d3c 8016->8026 8027 6bd13cec-6bd13d0c 8016->8027 8024 6bd13dc5 8017->8024 8025 6bd13c26-6bd13c2d 8017->8025 8028 6bd13b62-6bd13b85 8018->8028 8029 6bd13afa-6bd13aff 8018->8029 8047 6bd13eea-6bd13f04 call 6be619e0 call 6be619f0 8019->8047 8021->7970 8022->7992 8023 6bd13b56-6bd13b5d 8022->8023 8023->7972 8032 6bd13dc6 8024->8032 8034 6bd13dc3 8025->8034 8035 6bd13c33-6bd13c3a 8025->8035 8037 6bd13d70-6bd13d8d 8026->8037 8038 6bd13d3e-6bd13d45 8026->8038 8036 6bd13d90-6bd13d95 8027->8036 8028->8004 8033 6bd13b8b 8028->8033 8029->8005 8041 6bd13dc8-6bd13dcc 8032->8041 8033->7975 8034->8024 8042 6bd13c40-6bd13c5b 8035->8042 8043 6bd13e26-6bd13e2b 8035->8043 8045 6bd13d97-6bd13db8 8036->8045 8046 6bd13dba-6bd13dc1 8036->8046 8037->8036 8044 6bd13d50-6bd13d57 8038->8044 8041->7994 8051 6bd13dd2 8041->8051 8050 6bd13e1b-6bd13e24 8042->8050 8048 6bd13e31 8043->8048 8049 6bd13c7b-6bd13cd0 8043->8049 8044->8032 8045->8024 8046->8034 8052 6bd13dd7-6bd13ddc 8046->8052 8064 6bd13f75-6bd13fa1 8047->8064 8048->7978 8049->8044 8050->8041 8056 6bd13e76-6bd13e79 8051->8056 8054 6bd13e36-6bd13e3d 8052->8054 8055 6bd13dde-6bd13e17 8052->8055 8060 6bd13e5c-6bd13e5f 8054->8060 8061 6bd13e3f-6bd13e5a 8054->8061 8055->8050 8056->8019 8060->8049 8063 6bd13e65-6bd13e69 8060->8063 8061->8050 8063->8041 8063->8056 8068 6bd14020-6bd14026 8064->8068 8069 6bd13fa3-6bd13fa8 8064->8069 8070 6bd13f06-6bd13f35 8068->8070 8071 6bd1402c-6bd1403c 8068->8071 8072 6bd1407c-6bd14081 8069->8072 8073 6bd13fae-6bd13fcf 8069->8073 8078 6bd13f38-6bd13f61 8070->8078 8074 6bd140b3-6bd140b8 8071->8074 8075 6bd1403e-6bd14058 8071->8075 8076 6bd14083-6bd1408a 8072->8076 8077 6bd140aa-6bd140ae 8072->8077 8073->8077 8074->8073 8082 6bd140be-6bd140c9 8074->8082 8079 6bd1405a-6bd14063 8075->8079 8076->8078 8080 6bd14090 8076->8080 8081 6bd13f6b-6bd13f6f 8077->8081 8083 6bd13f64-6bd13f67 8078->8083 8085 6bd140f5-6bd1413f 8079->8085 8086 6bd14069-6bd1406c 8079->8086 8080->8047 8081->8064 8082->8077 8087 6bd140cb-6bd140d4 8082->8087 8084 6bd13f69 8083->8084 8084->8081 8085->8084 8089 6bd14072-6bd14077 8086->8089 8090 6bd14144-6bd1414b 8086->8090 8091 6bd140a7 8087->8091 8092 6bd140d6-6bd140f0 8087->8092 8089->8083 8090->8081 8091->8077 8092->8079
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 3f51bd7ba6c1dda036907991d00ac1ac27d00dfb08e25b6f87e6680db3543a32
                            • Instruction ID: 1e242d02260f3f511e543a3869b94ba19f3546fc1c8d2f939118c88b48881ce0
                            • Opcode Fuzzy Hash: 3f51bd7ba6c1dda036907991d00ac1ac27d00dfb08e25b6f87e6680db3543a32
                            • Instruction Fuzzy Hash: 2C51E0725487419FC330CF28D880785B7A3BF95334F698A6DC0EA5F295DB78B4468B51
                            Function 6BD139CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 5819144ab9ba21a2a747ad94e735b36a405c83577b34668c28bd20bf69f6cea0
                            • Instruction ID: 90184281cf873f0404028f214291f905c14e140b54c03f27c622eeca12dbd122
                            • Opcode Fuzzy Hash: 5819144ab9ba21a2a747ad94e735b36a405c83577b34668c28bd20bf69f6cea0
                            • Instruction Fuzzy Hash: 3651DC71508B019BC330CF28D480796B7A3BF95334F698A5DC0EA5F295EB78B4468B91
                            Function 6BD13D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BD13E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD13EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 211eccb664ce6aa456e2b8cab248a92503bda66332bbfe6419f2a5003413ec52
                            • Instruction ID: 2a317ff3029ee68e47a2f48462005e120fe5fc664c7ef28928aa14f55f455fdd
                            • Opcode Fuzzy Hash: 211eccb664ce6aa456e2b8cab248a92503bda66332bbfe6419f2a5003413ec52
                            • Instruction Fuzzy Hash: D2310471549B01DBC330CF64D8847C6B7A3AF96334F258A1DC0EA5F291DB7870458B51
                            Function 6BD13D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BD13E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD13EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: f876d6b980ff8b25168b76c7a84dfd2ab122e34925cd6f2fa073e42209bd9b89
                            • Instruction ID: e9ed2d7791ea95f18f223fd586c762e6cb71d68fc0a1f04adb51a7286a6c694e
                            • Opcode Fuzzy Hash: f876d6b980ff8b25168b76c7a84dfd2ab122e34925cd6f2fa073e42209bd9b89
                            • Instruction Fuzzy Hash: 1E310F71108701DBC734CF68D490796B7A7AF92328F254A6CC0EA4F281DB79B045CF52
                            Function 6BE95690 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6BE956A0
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ManagerOpen
                            • String ID:
                            • API String ID: 1889721586-0
                            • Opcode ID: e5a9947866c6e8f24eddd931b5f485fafb8300fdd816be3e7d3d5e3ea96505fe
                            • Instruction ID: 631f307d4dd11dc5c1e45b7347ede3ce752c35feac50a5e816fb6c93d8260801
                            • Opcode Fuzzy Hash: e5a9947866c6e8f24eddd931b5f485fafb8300fdd816be3e7d3d5e3ea96505fe
                            • Instruction Fuzzy Hash: C4314AB4918341EFC7109F28D584B0EBBE0AB89725F60889EF999C6361C374C9499B63
                            Function 6BD13C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BD13E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD13EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: e69044fbaa493e3ca11bd716daccc32258f8a1420ae99d17469ba5f440c939f7
                            • Instruction ID: 6dacd32eff5c6cd3a20462ccc4a62e099bbdd4328032e3cc457e2dac9d672068
                            • Opcode Fuzzy Hash: e69044fbaa493e3ca11bd716daccc32258f8a1420ae99d17469ba5f440c939f7
                            • Instruction Fuzzy Hash: D221DE7015C7019BD734CF64D891796B7A6AF52339F248A2DC0EA8F290EB78A4458F52
                            Function 6BE8B430 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(?,?), ref: 6BE8B44C
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileFindFirst
                            • String ID:
                            • API String ID: 1974802433-0
                            • Opcode ID: 4775571ae280a4583c47a5eb0cccca7c72a080e4d9511ddfb50b7eb42d689722
                            • Instruction ID: a79b2cdd4e3f29d4f70ba845646b4136af5829c7c0b63e9e64f11b8ca6f67638
                            • Opcode Fuzzy Hash: 4775571ae280a4583c47a5eb0cccca7c72a080e4d9511ddfb50b7eb42d689722
                            • Instruction Fuzzy Hash: 4F113A74818751AFD710CB38D58554EBBE4AF86314F248D99F4ACCB3A1E339CC998B42
                            Function 6BE6AFA0 Relevance: 44.5, APIs: 3, Strings: 22, Instructions: 734fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6BE6B117
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID: $53N!$53N!$H$I_#]$J_#]$J_#]$Y<Uq$Y<Uq$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$\|n/$f@n`$f@n`$jinc$|
                            • API String ID: 2738559852-1563143607
                            • Opcode ID: 563a3f20f3931da45e9132e7806b05a81d324bec98a50389ae7eb3e9bc74b441
                            • Instruction ID: 5f6360a31d32434242021d5bbbce262a4df66751eba03b6e12a1fd6f0892cb76
                            • Opcode Fuzzy Hash: 563a3f20f3931da45e9132e7806b05a81d324bec98a50389ae7eb3e9bc74b441
                            • Instruction Fuzzy Hash: DA627A70A8C381CFC764CF28C49165ABBE1ABD9754F248D5EF4A9CB350E739D8468B42
                            Function 6BEAD043 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6824 6bead043-6bead053 6825 6bead06d-6bead06f 6824->6825 6826 6bead055-6bead068 call 6be9ff4f call 6be9ff3c 6824->6826 6828 6bead3d4-6bead3e1 call 6be9ff4f call 6be9ff3c 6825->6828 6829 6bead075-6bead07b 6825->6829 6844 6bead3ec 6826->6844 6845 6bead3e7 call 6bea0690 6828->6845 6829->6828 6830 6bead081-6bead0a7 6829->6830 6830->6828 6833 6bead0ad-6bead0b6 6830->6833 6836 6bead0b8-6bead0cb call 6be9ff4f call 6be9ff3c 6833->6836 6837 6bead0d0-6bead0d2 6833->6837 6836->6845 6842 6bead0d8-6bead0db 6837->6842 6843 6bead3d0-6bead3d2 6837->6843 6842->6843 6848 6bead0e1-6bead0e5 6842->6848 6847 6bead3ef-6bead3f2 6843->6847 6844->6847 6845->6844 6848->6836 6851 6bead0e7-6bead0fe 6848->6851 6853 6bead14f-6bead155 6851->6853 6854 6bead100-6bead103 6851->6854 6855 6bead11b-6bead132 call 6be9ff4f call 6be9ff3c call 6bea0690 6853->6855 6856 6bead157-6bead161 6853->6856 6857 6bead113-6bead119 6854->6857 6858 6bead105-6bead10e 6854->6858 6888 6bead307 6855->6888 6859 6bead168-6bead186 call 6bea4d65 call 6bea4d2b * 2 6856->6859 6860 6bead163-6bead165 6856->6860 6857->6855 6862 6bead137-6bead14a 6857->6862 6861 6bead1d3-6bead1e3 6858->6861 6892 6bead188-6bead19e call 6be9ff3c call 6be9ff4f 6859->6892 6893 6bead1a3-6bead1cc call 6beab1d9 6859->6893 6860->6859 6865 6bead2a8-6bead2b1 call 6beb1f55 6861->6865 6866 6bead1e9-6bead1f5 6861->6866 6862->6861 6877 6bead2b3-6bead2c5 6865->6877 6878 6bead324 6865->6878 6866->6865 6870 6bead1fb-6bead1fd 6866->6870 6870->6865 6874 6bead203-6bead227 6870->6874 6874->6865 6879 6bead229-6bead23f 6874->6879 6877->6878 6883 6bead2c7-6bead2d6 GetConsoleMode 6877->6883 6881 6bead328-6bead340 ReadFile 6878->6881 6879->6865 6884 6bead241-6bead243 6879->6884 6886 6bead39c-6bead3a7 GetLastError 6881->6886 6887 6bead342-6bead348 6881->6887 6883->6878 6889 6bead2d8-6bead2dc 6883->6889 6884->6865 6890 6bead245-6bead26b 6884->6890 6894 6bead3a9-6bead3bb call 6be9ff3c call 6be9ff4f 6886->6894 6895 6bead3c0-6bead3c3 6886->6895 6887->6886 6896 6bead34a 6887->6896 6898 6bead30a-6bead314 call 6bea4d2b 6888->6898 6889->6881 6897 6bead2de-6bead2f8 ReadConsoleW 6889->6897 6890->6865 6899 6bead26d-6bead283 6890->6899 6892->6888 6893->6861 6894->6888 6907 6bead3c9-6bead3cb 6895->6907 6908 6bead300-6bead306 call 6be9ff62 6895->6908 6904 6bead34d-6bead35f 6896->6904 6905 6bead2fa GetLastError 6897->6905 6906 6bead319-6bead322 6897->6906 6898->6847 6899->6865 6900 6bead285-6bead287 6899->6900 6900->6865 6911 6bead289-6bead2a3 6900->6911 6904->6898 6915 6bead361-6bead365 6904->6915 6905->6908 6906->6904 6907->6898 6908->6888 6911->6865 6919 6bead37e-6bead389 6915->6919 6920 6bead367-6bead377 call 6bead46e 6915->6920 6925 6bead38b call 6bead3f3 6919->6925 6926 6bead395-6bead39a call 6bead726 6919->6926 6931 6bead37a-6bead37c 6920->6931 6932 6bead390-6bead393 6925->6932 6926->6932 6931->6898 6932->6931
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 4651d83b5122c104e8d970bfef588bb8da3cd285ce178e638e05b30e45c4fca1
                            • Instruction ID: 0b898feec04ecd7dd8055d88068f449193df6b1cae88b570199d12d547ceb34b
                            • Opcode Fuzzy Hash: 4651d83b5122c104e8d970bfef588bb8da3cd285ce178e638e05b30e45c4fca1
                            • Instruction Fuzzy Hash: E4C1FC74D44209AFDF01EFA8C880B9DBBB9AF4A315F2081D9E9149F391C77C9955CB60
                            Function 6BEB45DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 6933 6beb45dc-6beb460c call 6beb4a5c 6936 6beb460e-6beb4619 call 6be9ff4f 6933->6936 6937 6beb4627-6beb4633 call 6beb1b7c 6933->6937 6942 6beb461b-6beb4622 call 6be9ff3c 6936->6942 6943 6beb464c-6beb4695 call 6beb49c7 6937->6943 6944 6beb4635-6beb464a call 6be9ff4f call 6be9ff3c 6937->6944 6954 6beb4901-6beb4905 6942->6954 6952 6beb4702-6beb470b GetFileType 6943->6952 6953 6beb4697-6beb46a0 6943->6953 6944->6942 6955 6beb470d-6beb473e GetLastError call 6be9ff62 CloseHandle 6952->6955 6956 6beb4754-6beb4757 6952->6956 6958 6beb46a2-6beb46a6 6953->6958 6959 6beb46d7-6beb46fd GetLastError call 6be9ff62 6953->6959 6955->6942 6970 6beb4744-6beb474f call 6be9ff3c 6955->6970 6961 6beb4759-6beb475e 6956->6961 6962 6beb4760-6beb4766 6956->6962 6958->6959 6963 6beb46a8-6beb46d5 call 6beb49c7 6958->6963 6959->6942 6966 6beb476a-6beb47b8 call 6beb1d20 6961->6966 6962->6966 6967 6beb4768 6962->6967 6963->6952 6963->6959 6976 6beb47ba-6beb47c6 call 6beb4bd6 6966->6976 6977 6beb47d7-6beb47ff call 6beb4c80 6966->6977 6967->6966 6970->6942 6976->6977 6982 6beb47c8 6976->6982 6983 6beb4801-6beb4802 6977->6983 6984 6beb4804-6beb4845 6977->6984 6985 6beb47ca-6beb47d2 call 6beabe95 6982->6985 6983->6985 6986 6beb4847-6beb484b 6984->6986 6987 6beb4866-6beb4874 6984->6987 6985->6954 6986->6987 6989 6beb484d-6beb4861 6986->6989 6990 6beb487a-6beb487e 6987->6990 6991 6beb48ff 6987->6991 6989->6987 6990->6991 6993 6beb4880-6beb48b3 CloseHandle call 6beb49c7 6990->6993 6991->6954 6996 6beb48e7-6beb48fb 6993->6996 6997 6beb48b5-6beb48e1 GetLastError call 6be9ff62 call 6beb1c8f 6993->6997 6996->6991 6997->6996
                            APIs
                              • Part of subcall function 6BEB49C7: CreateFileW.KERNEL32(00000000,00000000,?,6BEB4685,?,?,00000000,?,6BEB4685,00000000,0000000C), ref: 6BEB49E4
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BEB46F0
                            • __dosmaperr.LIBCMT ref: 6BEB46F7
                            • GetFileType.KERNEL32(00000000), ref: 6BEB4703
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BEB470D
                            • __dosmaperr.LIBCMT ref: 6BEB4716
                            • CloseHandle.KERNEL32(00000000), ref: 6BEB4736
                            • CloseHandle.KERNEL32(6BEAB640), ref: 6BEB4883
                            • GetLastError.KERNEL32 ref: 6BEB48B5
                            • __dosmaperr.LIBCMT ref: 6BEB48BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: 8Q
                            • API String ID: 4237864984-4022487301
                            • Opcode ID: 5ceb6c35284f980a6fa0d11a81f25587195be9f8a996324c2c5129e9088f4c8e
                            • Instruction ID: b7ca7daf162ddb3a5b6bb42fd7b39880c651c795ef2a79a74295da26a8f45625
                            • Opcode Fuzzy Hash: 5ceb6c35284f980a6fa0d11a81f25587195be9f8a996324c2c5129e9088f4c8e
                            • Instruction Fuzzy Hash: 5DA14832A142559FCF099F78D951BAD3BB1AF07328F24019EE811EF391DB399826CB51
                            Function 6BE6C750 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 183COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7002 6be6c750-6be6c7a9 call 6be970e0 7005 6be6c7d0-6be6c7d9 7002->7005 7006 6be6c820-6be6c825 7005->7006 7007 6be6c7db-6be6c7e0 7005->7007 7008 6be6c827-6be6c82c 7006->7008 7009 6be6c8a0-6be6c8a5 7006->7009 7010 6be6c7e2-6be6c7e7 7007->7010 7011 6be6c860-6be6c865 7007->7011 7014 6be6c977-6be6c98b 7008->7014 7015 6be6c832-6be6c837 7008->7015 7018 6be6c8ab-6be6c8b0 7009->7018 7019 6be6c9f9-6be6ca29 call 6be9b910 7009->7019 7012 6be6c8e2-6be6c94f WriteFile 7010->7012 7013 6be6c7ed-6be6c7f2 7010->7013 7016 6be6c9a1-6be6c9b8 WriteFile 7011->7016 7017 6be6c86b-6be6c870 7011->7017 7021 6be6c959-6be6c96d WriteFile 7012->7021 7020 6be6c7f8-6be6c7fd 7013->7020 7013->7021 7022 6be6c98f-6be6c99c 7014->7022 7023 6be6c83d-6be6c842 7015->7023 7024 6be6c7ab-6be6c7c0 7015->7024 7026 6be6c9c2-6be6c9ef call 6be9be90 ReadFile 7016->7026 7025 6be6c876-6be6c87b 7017->7025 7017->7026 7028 6be6c8b6-6be6c8dd 7018->7028 7029 6be6ca2e-6be6ca33 7018->7029 7019->7005 7020->7005 7030 6be6c7ff-6be6c81a 7020->7030 7021->7014 7022->7005 7023->7005 7031 6be6c844-6be6c857 7023->7031 7034 6be6c7c3-6be6c7c8 7024->7034 7025->7005 7033 6be6c881-6be6c89b 7025->7033 7026->7019 7028->7034 7029->7005 7036 6be6ca39-6be6ca47 7029->7036 7030->7034 7031->7034 7033->7022 7034->7005
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: :uW$;uW$;uW$> 4!$> 4!
                            • API String ID: 0-4100612575
                            • Opcode ID: 5869f28db1af51c7fc19decfc1b4182ee5cb3022c405df3b3b65deaba7248a12
                            • Instruction ID: 2edc0d074653e852336177595b7ef787c7c2d5693e463544ead2a3171f714c84
                            • Opcode Fuzzy Hash: 5869f28db1af51c7fc19decfc1b4182ee5cb3022c405df3b3b65deaba7248a12
                            • Instruction Fuzzy Hash: 65717DB0248345AFDB10CF28C480B5ABBE5BF89748F20496EF494D7351E379E8598B82
                            Function 6BE6BCA0 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 605COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: K?Jo$K?Jo$`Rlx$7eO
                            • API String ID: 0-174837320
                            • Opcode ID: f3b8d46df8fc797f8ba90f414cfec146496145c41e8acbc542b362538441598c
                            • Instruction ID: 140603b37723ad3f3967e86841f46ac85881da616293091f34332c3bb859cdc5
                            • Opcode Fuzzy Hash: f3b8d46df8fc797f8ba90f414cfec146496145c41e8acbc542b362538441598c
                            • Instruction Fuzzy Hash: 69424874A883418FCB14CF28C09161EBBE1AF99798F248D5EF5A58B321E738D855CB53
                            Function 6BD14200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;T55
                            • API String ID: 0-2572755013
                            • Opcode ID: 9a434ea86a9f96b5da848dde28ef5764b15f671e6e8da4c70eb5179dc5606b40
                            • Instruction ID: d4e8947699d2b9570334902378a497ff6ab24dd1c66d88ac2ff8f0ca228ebde3
                            • Opcode Fuzzy Hash: 9a434ea86a9f96b5da848dde28ef5764b15f671e6e8da4c70eb5179dc5606b40
                            • Instruction Fuzzy Hash: 2103F131644B41CFC728CF28C8D0696B7E3AFD53287198E6DC1EA4B695DB78B44ACB50
                            Function 6BE95560 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7579 6be95560-6be955e7 CreateProcessA 7580 6be9563a-6be95643 7579->7580 7581 6be95660-6be9567b 7580->7581 7582 6be95645-6be9564a 7580->7582 7581->7580 7583 6be9564c-6be95651 7582->7583 7584 6be955f0-6be95632 WaitForSingleObject CloseHandle * 2 7582->7584 7583->7580 7585 6be95653-6be95688 7583->7585 7584->7580
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID: D
                            • API String ID: 963392458-2746444292
                            • Opcode ID: d9d91bed497deee83ee7b1eca39ae1c25113447e75c899b3c6c41571fab0f288
                            • Instruction ID: 736d810675aff65cec36dbc6ee2f72a70fa3ad450b167675e041dffb3e5bfa03
                            • Opcode Fuzzy Hash: d9d91bed497deee83ee7b1eca39ae1c25113447e75c899b3c6c41571fab0f288
                            • Instruction Fuzzy Hash: 493114B08193408FD310EF28D19871EBBF0AB9A318F505A1DF8E986261E779D589CF43
                            Function 6BEAC1CE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7587 6beac1ce-6beac1ea 7588 6beac3a9 7587->7588 7589 6beac1f0-6beac1f2 7587->7589 7590 6beac3ab-6beac3af 7588->7590 7591 6beac214-6beac235 7589->7591 7592 6beac1f4-6beac207 call 6be9ff4f call 6be9ff3c call 6bea0690 7589->7592 7593 6beac23c-6beac242 7591->7593 7594 6beac237-6beac23a 7591->7594 7609 6beac20c-6beac20f 7592->7609 7593->7592 7596 6beac244-6beac249 7593->7596 7594->7593 7594->7596 7598 6beac25a-6beac26b call 6beac3b0 7596->7598 7599 6beac24b-6beac257 call 6beab1d9 7596->7599 7607 6beac2ac-6beac2be 7598->7607 7608 6beac26d-6beac26f 7598->7608 7599->7598 7610 6beac2c0-6beac2c9 7607->7610 7611 6beac305-6beac327 WriteFile 7607->7611 7612 6beac271-6beac279 7608->7612 7613 6beac296-6beac2a2 call 6beac421 7608->7613 7609->7590 7617 6beac2cb-6beac2ce 7610->7617 7618 6beac2f5-6beac303 call 6beac833 7610->7618 7614 6beac329-6beac32f GetLastError 7611->7614 7615 6beac332 7611->7615 7619 6beac33b-6beac33e 7612->7619 7620 6beac27f-6beac28c call 6beac7cb 7612->7620 7621 6beac2a7-6beac2aa 7613->7621 7614->7615 7622 6beac335-6beac33a 7615->7622 7624 6beac2d0-6beac2d3 7617->7624 7625 6beac2e5-6beac2f3 call 6beac9f7 7617->7625 7618->7621 7623 6beac341-6beac346 7619->7623 7628 6beac28f-6beac291 7620->7628 7621->7628 7622->7619 7629 6beac348-6beac34d 7623->7629 7630 6beac3a4-6beac3a7 7623->7630 7624->7623 7631 6beac2d5-6beac2e3 call 6beac90e 7624->7631 7625->7621 7628->7622 7635 6beac379-6beac385 7629->7635 7636 6beac34f-6beac354 7629->7636 7630->7590 7631->7621 7639 6beac38c-6beac39f call 6be9ff3c call 6be9ff4f 7635->7639 7640 6beac387-6beac38a 7635->7640 7641 6beac36d-6beac374 call 6be9ff62 7636->7641 7642 6beac356-6beac368 call 6be9ff3c call 6be9ff4f 7636->7642 7639->7609 7640->7588 7640->7639 7641->7609 7642->7609
                            APIs
                              • Part of subcall function 6BEAC421: GetConsoleCP.KERNEL32(?,6BEAB640,?), ref: 6BEAC469
                            • WriteFile.KERNEL32(?,?,6BEB4C5C,00000000,00000000,?,00000000,00000000,6BEB6026,00000000,00000000,?,00000000,6BEAB640,6BEB4C5C,00000000), ref: 6BEAC31F
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6BEB4C5C,6BEAB640,00000000,?,?,?,?,00000000,?), ref: 6BEAC329
                            • __dosmaperr.LIBCMT ref: 6BEAC36E
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                            • String ID: 8Q
                            • API String ID: 251514795-4022487301
                            • Opcode ID: d0f66f90d827cf10d0ab6a3731f561cc23af573bbf6c11c124f70f930628e529
                            • Instruction ID: 4b72d73fad400fe927eb639adac4dc6cdd89a61ce7a2f84f30d2348a7b5f20eb
                            • Opcode Fuzzy Hash: d0f66f90d827cf10d0ab6a3731f561cc23af573bbf6c11c124f70f930628e529
                            • Instruction Fuzzy Hash: 9C51C271B04609AEDF00ABF8CC41BEEBBBDAF4A358F200095E510AF350D779995687A1
                            Function 6BE96100 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7654 6be96100-6be9610c 7655 6be9614d 7654->7655 7656 6be9610e-6be96119 7654->7656 7659 6be9614f-6be961c7 7655->7659 7657 6be9611b-6be9612d 7656->7657 7658 6be9612f-6be9613c call 6bd601f0 call 6bea1088 7656->7658 7657->7658 7668 6be96141-6be9614b 7658->7668 7660 6be961c9-6be961f1 7659->7660 7661 6be961f3-6be961f9 7659->7661 7660->7661 7663 6be961fa-6be962b9 call 6bd62250 call 6bd62340 call 6be998e9 call 6bd5e010 call 6be975f8 7660->7663 7668->7659
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BE962A1
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 323602529-1866435925
                            • Opcode ID: a74e591069e1d303816047baf7ee73e5644d03c0684a353f004ebf0d23fd3913
                            • Instruction ID: 80eaf2b56607078c059e7cfe39e39033f0de420a06464de322da77587fe230e0
                            • Opcode Fuzzy Hash: a74e591069e1d303816047baf7ee73e5644d03c0684a353f004ebf0d23fd3913
                            • Instruction Fuzzy Hash: B35143B5900B008FD725DF29D581B97BBF1FB48318F108A2DD8964BB91D779B909CB90
                            Function 6BEABE95 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7699 6beabe95-6beabea9 call 6beb1b12 7702 6beabeab-6beabead 7699->7702 7703 6beabeaf-6beabeb7 7699->7703 7704 6beabefd-6beabf1d call 6beb1c8f 7702->7704 7705 6beabeb9-6beabec0 7703->7705 7706 6beabec2-6beabec5 7703->7706 7716 6beabf2b 7704->7716 7717 6beabf1f-6beabf29 call 6be9ff62 7704->7717 7705->7706 7708 6beabecd-6beabee1 call 6beb1b12 * 2 7705->7708 7709 6beabee3-6beabef3 call 6beb1b12 CloseHandle 7706->7709 7710 6beabec7-6beabecb 7706->7710 7708->7702 7708->7709 7709->7702 7720 6beabef5-6beabefb GetLastError 7709->7720 7710->7708 7710->7709 7718 6beabf2d-6beabf30 7716->7718 7717->7718 7720->7704
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6BEB47CF), ref: 6BEABEEB
                            • GetLastError.KERNEL32(?,00000000,?,6BEB47CF), ref: 6BEABEF5
                            • __dosmaperr.LIBCMT ref: 6BEABF20
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID:
                            • API String ID: 2583163307-0
                            • Opcode ID: 759f5c47810d1bc5f0485ee17c4d7fb51e7a2ca7db272cd524d3ede3032bdbbe
                            • Instruction ID: 366b42dffa9bd72a6bf85abd16eca6bcb6524b58066d30b2df3372016475e566
                            • Opcode Fuzzy Hash: 759f5c47810d1bc5f0485ee17c4d7fb51e7a2ca7db272cd524d3ede3032bdbbe
                            • Instruction Fuzzy Hash: D0010832E2822C56C60157789945B6D376D4B83B3CF36829DEA24CF2C1DB7DD4614191
                            Function 6BEA110C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 7944 6bea110c-6bea1117 7945 6bea1119-6bea112c call 6be9ff3c call 6bea0690 7944->7945 7946 6bea112e-6bea113b 7944->7946 7957 6bea1180-6bea1182 7945->7957 7948 6bea113d-6bea1152 call 6bea1229 call 6bea8cae call 6beaa1d0 call 6beabe08 7946->7948 7949 6bea1176-6bea117f call 6beab3e5 7946->7949 7963 6bea1157-6bea115c 7948->7963 7949->7957 7964 6bea115e-6bea1161 7963->7964 7965 6bea1163-6bea1167 7963->7965 7964->7949 7965->7949 7966 6bea1169-6bea1175 call 6bea4d2b 7965->7966 7966->7949
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction ID: 3b16ecf77479de9bd45152b50c74b4c7c7f7e06fac0a218f861d12e0a5c4e961
                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction Fuzzy Hash: 81F0F932D017241AD6212AB9DC01B4A3BAD8F9337DF314359E8248E2C0CB7CD402CAE3
                            Function 6BE95ED0 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BE96024
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BE96064
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID:
                            • API String ID: 323602529-0
                            • Opcode ID: f2860f0042fba1f8dbd88d576a1b81bb63d08c460d9a77c22a66c2b552f01402
                            • Instruction ID: f822ebc7d96901f7f657090c5887fd703c9d007097f6acd5b7c69ee1615fb913
                            • Opcode Fuzzy Hash: f2860f0042fba1f8dbd88d576a1b81bb63d08c460d9a77c22a66c2b552f01402
                            • Instruction Fuzzy Hash: 54516570500B00DBD725DF24D985BA2BBF4BF05728F508A1DE9AA4B291DB38B548CB90
                            Function 6BE9F4AF Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(6BEC6DF0,0000000C), ref: 6BE9F4C2
                            • ExitThread.KERNEL32 ref: 6BE9F4C9
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorExitLastThread
                            • String ID:
                            • API String ID: 1611280651-0
                            • Opcode ID: 9d99ef0ac92f626e4b280dea0c1d6009a098c88f4345a7f204ff6f33002b9c96
                            • Instruction ID: 15cc4119e2dbaf516830e3192dfb87fb6e04a1522a1c7f1974c77b56d917c66b
                            • Opcode Fuzzy Hash: 9d99ef0ac92f626e4b280dea0c1d6009a098c88f4345a7f204ff6f33002b9c96
                            • Instruction Fuzzy Hash: 9FF0C271940200AFEB00AFB0D44AA6E3B78FF01318F30415EF0159B262CF3CA955DBA1
                            Function 6BEAB4E2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: 3f72e2dd37db0e24f28c2fc2c56afe13971df16c31953be2cb6cd166791c3fa7
                            • Instruction ID: 8374f7b99af2e857a1c6e081cc5ef158a3684ddd85e55923326bbff50e76eaaa
                            • Opcode Fuzzy Hash: 3f72e2dd37db0e24f28c2fc2c56afe13971df16c31953be2cb6cd166791c3fa7
                            • Instruction Fuzzy Hash: D0114F71A0410EAFCF05DF68E941D9B7BF8EF88308F114059F805AB311D671E911CBA4
                            Function 6BEB456E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction ID: 758dadffa758dc2b27f27ac5a940215ccb7ed001c49af0ecfd21a155f8af031b
                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction Fuzzy Hash: 5E012C72C01159AFCF01AFA88D019EE7FB9AF08314F24416AEA24A2191E7358A21DB91
                            Function 6BEB49C7 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,6BEB4685,?,?,00000000,?,6BEB4685,00000000,0000000C), ref: 6BEB49E4
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 1a3f130d58977de8bb72a59d942e6a351340cc6de960168da630722c18a1d5a3
                            • Instruction ID: 4a6cc1ab2b2bcf031abbd3e13ecc223eeb9470b28c4e835cf084fc8221c151d4
                            • Opcode Fuzzy Hash: 1a3f130d58977de8bb72a59d942e6a351340cc6de960168da630722c18a1d5a3
                            • Instruction Fuzzy Hash: 99D06C3204010DBBDF028E84DC06EDA3BAAFB48714F024010BA2856020C732E861AB90
                            Function 6BD67CB0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction ID: 7f8c38d9936921ae17e4db4cd5103ef68eb993371ed73e9b1c57a974ca25494d
                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 6BE91DF0 Relevance: 10.5, APIs: 3, Strings: 1, Instructions: 3538COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: g)''
                            • API String ID: 4218353326-3487984327
                            • Opcode ID: 0036c4342ab4986ef0333d7b0ed91de2503a71e28bb8fc8568287ad79a27d6c2
                            • Instruction ID: d29f5a83884af0ea0016f9eb219a9110a0cbbc9fb916ec9d084d14a54be7b73d
                            • Opcode Fuzzy Hash: 0036c4342ab4986ef0333d7b0ed91de2503a71e28bb8fc8568287ad79a27d6c2
                            • Instruction Fuzzy Hash: FC63F171644B018FC738CF28D8D0A95B7F3AF953187298A6DC4AA4B755EB78B44ECB40
                            Function 6BE962D0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 6BE962DA
                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6BE962E6
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6BE962F4
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6BE9631B
                            • NtInitiatePowerAction.NTDLL ref: 6BE9632F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3256374457-3733053543
                            • Opcode ID: e8c957879c8f1537af16cf16735d42422660101ce06ee76cfd850c89280c6f3c
                            • Instruction ID: c674a0e636fee8535b83c63a03a07b5e08cd72f3b610eb35a66b5a5a21265477
                            • Opcode Fuzzy Hash: e8c957879c8f1537af16cf16735d42422660101ce06ee76cfd850c89280c6f3c
                            • Instruction Fuzzy Hash: 7DF0B4B1544300BBEA20BB68DE0EF5A7BA4EF55701F014508F991A61E1D770A899CBA2
                            Function 6BD11950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: \j`7$\j`7$j
                            • API String ID: 0-3644614255
                            • Opcode ID: 19d859f48276e7fb4fbf7abb1e97af0bd1ae51349a8212bbffeb684fe08a8b6b
                            • Instruction ID: 50b849a5533ee4192e62b19682239c80b4dcef59ed3b73ff14df62293c35427e
                            • Opcode Fuzzy Hash: 19d859f48276e7fb4fbf7abb1e97af0bd1ae51349a8212bbffeb684fe08a8b6b
                            • Instruction Fuzzy Hash: 0742327464D3828FCB14CF68D48065ABBE1BB9A264F14496EE4E9CB360D338D945CB53
                            Function 6BEF6CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6BEF6CE5
                              • Part of subcall function 6BECCC2A: __EH_prolog.LIBCMT ref: 6BECCC2F
                              • Part of subcall function 6BECE6A6: __EH_prolog.LIBCMT ref: 6BECE6AB
                              • Part of subcall function 6BEF6A0E: __EH_prolog.LIBCMT ref: 6BEF6A13
                              • Part of subcall function 6BEF6837: __EH_prolog.LIBCMT ref: 6BEF683C
                              • Part of subcall function 6BEFA143: __EH_prolog.LIBCMT ref: 6BEFA148
                              • Part of subcall function 6BEFA143: ctype.LIBCPMT ref: 6BEFA16C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog$ctype
                            • String ID:
                            • API String ID: 1039218491-3916222277
                            • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                            • Instruction ID: e6a896f939f5d7ea786f65eb74fc241ba5848700e2e015c8894ae304136e145e
                            • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                            • Instruction Fuzzy Hash: 6003BC30804288DFDF16CFB4C951BDDBBB5AF15308F2080DDD8596B291DB785A8ADB62
                            Function 6BEA06F1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6BEA07E9
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6BEA07F3
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6BEA0800
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: 4760a992cd8ffec0d80e7b4cf04adc1413ab0d871c14fca3316812f081d78ffe
                            • Instruction ID: 72c33ca973efd745e2bd07f9cc2380ec44e2b3357bd0004036b34805de5a41b0
                            • Opcode Fuzzy Hash: 4760a992cd8ffec0d80e7b4cf04adc1413ab0d871c14fca3316812f081d78ffe
                            • Instruction Fuzzy Hash: C831C275D0122C9BCB21DF64D889BCDBBB8BF08714F6041EAE41CA7261EB749B858F45
                            Function 6BE9F6ED Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,6BE9F7A5,?,?,?,?), ref: 6BE9F70F
                            • TerminateProcess.KERNEL32(00000000,?,6BE9F7A5,?,?,?,?), ref: 6BE9F716
                            • ExitProcess.KERNEL32 ref: 6BE9F728
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: fbce57e1d82d62af7d94fa6a72f0f089457ac6f867964a44ba61ec623880dd15
                            • Instruction ID: a7de839cc1603be21fbe4999f78708e80bd0f3aaf9bad8e6d7faaa2a6d26ecd8
                            • Opcode Fuzzy Hash: fbce57e1d82d62af7d94fa6a72f0f089457ac6f867964a44ba61ec623880dd15
                            • Instruction Fuzzy Hash: CCE04631080208EFDF017F64E888A8D3F78FF41245B200429F814CA232CB3DE895CA90
                            Function 6BEC8EA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x=J
                            • API String ID: 3519838083-1497497802
                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction ID: c6c4fd048b2980ea60a0698f237a0333cfcad52e6352ac642d3df37bca7121cd
                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction Fuzzy Hash: A291F035D00249DACF06DFA4DA929EFB772AF0530CF3080ADD87267252DB395A46CB52
                            Function 6BE96FB3 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6BE97E20
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6BE98643
                              • Part of subcall function 6BE998E9: RaiseException.KERNEL32(E06D7363,00000001,00000003,6BE9862C,00000000,?,?,?,6BE9862C,?,6BEC555C), ref: 6BE99949
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                            • String ID:
                            • API String ID: 915016180-0
                            • Opcode ID: eff0dbb57bad772befd3fa3aca5b5720597feeb91fd729e024b0a7c319ffc743
                            • Instruction ID: 71bd97ca06255eee990e82fd369aae5d09ccea6c4ac109e430b52c00f2c427c0
                            • Opcode Fuzzy Hash: eff0dbb57bad772befd3fa3aca5b5720597feeb91fd729e024b0a7c319ffc743
                            • Instruction Fuzzy Hash: ACB18A719142059BCB25EF68D88179EBBB4FB09318F21816AD829E73A0D338D95DCF91
                            Function 6BEC8972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @4J$DsL
                            • API String ID: 0-2004129199
                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction ID: 3ccf159214f26a0e53f09f82f0831c86da2dd889aa4508d7beaab85c46788c3e
                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction Fuzzy Hash: 02219137AA49560BD74CCA28DC33EBD2681E744305B88627EEE4BCB3E1DF5D8800C648
                            Function 6BEE540A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6BEE540F
                              • Part of subcall function 6BEE6137: __EH_prolog.LIBCMT ref: 6BEE613C
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction ID: 1f830b2f982d38b58bf2aa6d9596f7d8cc8ba9ccbc0518c2633c27b090cc9006
                            • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction Fuzzy Hash: 21623A71D00259CFDB15CFA4C895BEDBBF1BF04308F20419AEA19AB281D7789956CFA1
                            Function 6BF3DAD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: YA1
                            • API String ID: 0-613462611
                            • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction ID: 919ec5563ef87343c630fac0156c986304b7758344cc3bded84375a78aabe26f
                            • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction Fuzzy Hash: 564204766483A18FC315CF28C49069ABBE2FFD9308F14496DE8D98B361D775D846CB82
                            Function 6BED0BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aullrem
                            • String ID:
                            • API String ID: 3758378126-0
                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction ID: b3d646dfd5742cc5d6b6c876738f6e39ddee84b5bff822ac584e7d2e86b95824
                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction Fuzzy Hash: D851B871A083559BD710CF5AC4C06EAFBE6AF79214F28C05EE8C897242D27A599BC760
                            Function 6BF49E80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction ID: 8274d739ab5cfb8e9f1c02c67e6702dbf6e80cdd0da226dd2c368e8a4e1a9266
                            • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction Fuzzy Hash: 1C02AC32A083808BD325CF28C49079EBBE2FFD9714F144A6DE4D597362E7799945CB82
                            Function 6BECC7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: (SL
                            • API String ID: 0-669240678
                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction ID: 07505782bd2d1c7ede61a6d6f8d7ee98c71578a3dcb345156391024bbdb3bc1d
                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction Fuzzy Hash: 9B519473E208254AD78CCE24DC2177672D2E784310F8BC1B99D8BAB6E6DD78989187C4
                            Function 6BF40020 Relevance: .8, Instructions: 762COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction ID: a3568114e1fa0c8758d3f1e6e81f0e50a5ecedb9448b9ad129a18e3b03ebbf5b
                            • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction Fuzzy Hash: C0526E32604B458BD318CF39C5906AABBE2BF95308F148A6DD4DAC7752DBB8E445CB41
                            Function 6BF5A930 Relevance: .7, Instructions: 740COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction ID: 46c11053672070e1ffa2728553aa8b347caf97cc16a4a99f375ed50b2bcc4a73
                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction Fuzzy Hash: 186204B2A087458FC714CF29C58061AFBF1BFD8744F108A6EE89987325D774E865CB92
                            Function 6BF43D50 Relevance: .5, Instructions: 547COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction ID: be4890ce087de09a8fd5805c8e405fb49e3090ef3d7c59f4e0ef4de9f79148b7
                            • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction Fuzzy Hash: 3412BE722087428FC718CF28C49066AFBE2FFC9300F54496DE9969B762DB39E945CB51
                            Function 6BF54AA0 Relevance: .5, Instructions: 474COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction ID: dc7655ec1a3e95dfd9fabd6275fd16df066b502c43f5c3359bfeb14ab08a733e
                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction Fuzzy Hash: E1020B33E082118BD318CE2CC490359BBF2FBD4355F150A2DE496976A8E77899B5CBD2
                            Function 6BF3FA50 Relevance: .5, Instructions: 453COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction ID: 752b43b1ac209bbe4a55f1afce1d95c547a7b56b73f7a94afb4ce5710a0e4316
                            • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction Fuzzy Hash: E1F1F032A042998BEB64CF28D8507EEBBE2FBC5310F54453DD889CB351DB39994AC791
                            Function 6BF4F5C0 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                            • Instruction ID: 1a279e11081e437c4c04532ed9888c9bba333da0996ff235e5fb187600e6f1b8
                            • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                            • Instruction Fuzzy Hash: 52D1E2725046168FD718CF1CC8A4636BFE1FF86304F054ABDDAAA8B3AAD7389515CB50
                            Function 6BF42580 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction ID: 453df7047c413a2fdf805c0647acdc393503d29e75911f651c637058c27ff30d
                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction Fuzzy Hash: D5C1D4362147458BC718CF39D0A02A6BFE2AFD9314F148A6DC4CE8B766DA35A409CB55
                            Function 6BF3E810 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction ID: 9e0fb733b9f8cfa4d1f1747ea7b3bc19aad456630fded94a349c2618ce02cfc0
                            • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction Fuzzy Hash: 0EB1F4323047164BD725DF38C8917DBB7E1AF80304F00456DC5AA87261EF78A90987E5
                            Function 6BF41AA0 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction ID: b12ae5385a88bd4cb54fa2368c947b32de493dc21e738dcdb86e0ede79ae5089
                            • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction Fuzzy Hash: C7B18C766047028BC304DF29C8806EBFBE2FFC8304F14896DD59987326E775A65ACB95
                            Function 6BF499F0 Relevance: .3, Instructions: 287COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction ID: e13e0be56d3f7df9e6e5e69d856661df0c0e5310d6c3fd7c1fe46e91468fc336
                            • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction Fuzzy Hash: 4EA1E43270C3428FC314CE29C59069ABBE1ABD5318F04896DE5DA87363DA75E949CB42
                            Function 6BF496E0 Relevance: .2, Instructions: 223COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                            • Instruction ID: 3ba5a3264b722c53db5200bc5ffb39ad9bb202ae45b01fad8c8fe675f9dcd3f6
                            • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                            • Instruction Fuzzy Hash: 5881B536B047018FC320CF29C580286BBE1FF99714F68C9ADC5999B716EB76E946CB41
                            Function 6BEE0B66 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction ID: 1c361acfbd6b51422d03538056a1e5399c46c1af4c4e20e117803023bf3fe63d
                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction Fuzzy Hash: D4515376F006099FDB08CE98DD926EDB7F2EB88304F24816ED515E7342DB789A42CB50
                            Function 6BEE2EC9 Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction ID: 29d80eeaf74a95f3ca25da7519a59730266cdf140d8de52588ad2eeb51a819d5
                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction Fuzzy Hash: 4C3114677A440203C70DCD3BCC1279F92536BE422AB1EDB796809DEF65D52CC8239154
                            Function 6BF69700 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                            • Instruction ID: 85a83ec0a9b17610f1399d95ebd35a9182e5e0cb8ca0ca928315a220e130121f
                            • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                            • Instruction Fuzzy Hash: AA218177320A0647E74C8A38D83737531D0A705318F98A22DE96BCE2C2D73AC457C345
                            Function 6BEAA2D6 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 73749b638c8cec9f51b80ac02148d5d5f9d11d41b51dae197fee29e1ab40da44
                            • Instruction ID: 6aa7d8ffd41dc3b7094926b1e1ff923e5daa94fb5cb20b6638b0d5c56bae84c2
                            • Opcode Fuzzy Hash: 73749b638c8cec9f51b80ac02148d5d5f9d11d41b51dae197fee29e1ab40da44
                            • Instruction Fuzzy Hash: 2CF03032A55324DBCB12EB48D805B8D73BDEB45B6AF22109AE501DB251C7B4DD44C7C0
                            Function 6BEAA2A5 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction ID: afe8a9fa422600809f0074d7e42139e8999370ef882585ab111bb723baba535c
                            • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction Fuzzy Hash: BDE08C32A51328EBCB14DF98C900D8AB7ECEB44A05B2101AAB911E7200C378DE00D7D0
                            Function 6BF67720 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                            • Instruction ID: 0f504e692ad41f2907bc5c4da63d321fc2730a4e2595694603dd42f42b400dfd
                            • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                            • Instruction Fuzzy Hash: 86C08CA312810017C306EA2598C0BAAF6A37360330F228C2EA4A2E7E43C328C0648211
                            Function 6BEFEB50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                            • API String ID: 3519838083-609671
                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction ID: 63ce1fa58814e8f954b4984eb88e36cc68e118f309f1ab0f34e594ad15dde3ff
                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction Fuzzy Hash: 26D1B231A1460ADFCB15CFB4D980BEEB7B9FF45308F304469E056A3250DB79A956CB60
                            Function 6BEE6798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv$H_prolog
                            • String ID: >WJ$x$x
                            • API String ID: 2300968129-3162267903
                            • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction ID: 853bc2c256a577a25226806e1d1464d8ca089a3f60cb3d8d7e5ed92c71e400b1
                            • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction Fuzzy Hash: 95123A71D0020ADFDF14DFA4C881ADDBBB5BF48318F2085ADEA19AB250D7399956CB60
                            Function 6BE9A040 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 6BE9A077
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6BE9A07F
                            • _ValidateLocalCookies.LIBCMT ref: 6BE9A108
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6BE9A133
                            • _ValidateLocalCookies.LIBCMT ref: 6BE9A188
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 940abb1a820d2655838be2a793b0c286e82d64b35ec6fa6afdafc1d1139311ac
                            • Instruction ID: fdd67117ab1b09d710b82efa0f66c2bfc317a67d79686f49f3432669d7a7fc89
                            • Opcode Fuzzy Hash: 940abb1a820d2655838be2a793b0c286e82d64b35ec6fa6afdafc1d1139311ac
                            • Instruction Fuzzy Hash: F641E974E002189BDF00EF79D881B9E7BB5EF45318F30909AE8195B351D739DA29CB90
                            Function 6BEA740A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 0-537541572
                            • Opcode ID: e4a4a5a2e78457c6b0ba2b344a37e2a06e5c29f1c39295a82e500dab86aa771e
                            • Instruction ID: a55912b4572d3027b90e2162ae3011d46cee9d6e682bce32c4c8aa4032445ca9
                            • Opcode Fuzzy Hash: e4a4a5a2e78457c6b0ba2b344a37e2a06e5c29f1c39295a82e500dab86aa771e
                            • Instruction Fuzzy Hash: 75218131A45721ABEB21CA6CDD40B4B3F6C9F42768B3105A1ED29AB395D73CEC1186E1
                            Function 6BEAC421 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(?,6BEAB640,?), ref: 6BEAC469
                            • __fassign.LIBCMT ref: 6BEAC648
                            • __fassign.LIBCMT ref: 6BEAC665
                            • WriteFile.KERNEL32(?,6BEB6026,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BEAC6AD
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BEAC6ED
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BEAC799
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ConsoleErrorLast
                            • String ID:
                            • API String ID: 4031098158-0
                            • Opcode ID: 2acbe3fe6575da8e08a1bb071ce62445d8f3ef39e0e26bca7cf5ff1ac818c24b
                            • Instruction ID: 810d0d6acd78e904a79753279366b8adfcdeb34e484ef10949b7bb5e4e81d410
                            • Opcode Fuzzy Hash: 2acbe3fe6575da8e08a1bb071ce62445d8f3ef39e0e26bca7cf5ff1ac818c24b
                            • Instruction Fuzzy Hash: FFD1AC75E002589FCF11CFA8C880AEDBBB9FF49314F24416AE855BB341D735A946CB50
                            Function 6BD62F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6BD62F95
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6BD62FAF
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6BD62FD0
                            • __Getctype.LIBCPMT ref: 6BD63084
                            • std::_Facet_Register.LIBCPMT ref: 6BD6309C
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6BD630B7
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                            • String ID:
                            • API String ID: 1102183713-0
                            • Opcode ID: 1b8d29d1f5ebdbb24ae199623002f21ca07fd0e9019906fbfd5b960461f86096
                            • Instruction ID: 1375dc770b44936f5c49bfa2f48e4453cd126c329493d123d797ac029ff993c4
                            • Opcode Fuzzy Hash: 1b8d29d1f5ebdbb24ae199623002f21ca07fd0e9019906fbfd5b960461f86096
                            • Instruction Fuzzy Hash: 77417AB1D00218CFCB20DFA8D851B9EBBF0FF58764F114169D869AB351E739A909CB91
                            Function 6BED4FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv$__aullrem
                            • String ID:
                            • API String ID: 2022606265-0
                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction ID: 6628a85ec0f6f7b1b8399a7dd5e3f56ea9df0b2abebb3e5a06f3de31d136a91c
                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction Fuzzy Hash: 9821987190021ABFDF108FA4CC41D9F7AAAEF417E8F308666FA14611A0E7B54D61D7A1
                            Function 6BEDA6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6BEDA6F1
                              • Part of subcall function 6BEE9173: __EH_prolog.LIBCMT ref: 6BEE9178
                            • __EH_prolog.LIBCMT ref: 6BEDA8F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: IJ$WIJ$J
                            • API String ID: 3519838083-740443243
                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction ID: a355f5170c08dfe620d5f9e13960777c5362ed76c7c2c6abb58d1f5722a5bc49
                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction Fuzzy Hash: 3F71D331A40255DFDB18CF64C445BDDB7F1BF14308F2080ADE9656B391DBB8AA4ACB91
                            Function 6BEB5F7D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6BEB604D
                            • _free.LIBCMT ref: 6BEB6076
                            • SetEndOfFile.KERNEL32(00000000,6BEB4C5C,00000000,6BEAB640,?,?,?,?,?,?,?,6BEB4C5C,6BEAB640,00000000), ref: 6BEB60A8
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6BEB4C5C,6BEAB640,00000000,?,?,?,?,00000000,?), ref: 6BEB60C4
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: _free$ErrorFileLast
                            • String ID: 8Q
                            • API String ID: 1547350101-4022487301
                            • Opcode ID: 89acaf24d8bf6147ac9bedeea4d79d982b1e5e4b9cca8bcfd6e49de209b16362
                            • Instruction ID: 3804586feed596c52f491cf8c0808b5a3e18f3437db0ceed86a1ae6e9bae52cc
                            • Opcode Fuzzy Hash: 89acaf24d8bf6147ac9bedeea4d79d982b1e5e4b9cca8bcfd6e49de209b16362
                            • Instruction Fuzzy Hash: D54136329002059EDF219FB6CE41B8EBBB9AF05328F300158F925EB290EB7DD8114760
                            Function 6BEEE418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6BEEE41D
                              • Part of subcall function 6BEEEE40: __EH_prolog.LIBCMT ref: 6BEEEE45
                              • Part of subcall function 6BEEE8EB: __EH_prolog.LIBCMT ref: 6BEEE8F0
                              • Part of subcall function 6BEEE593: __EH_prolog.LIBCMT ref: 6BEEE598
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: &qB$0aJ$A0$XqB
                            • API String ID: 3519838083-1326096578
                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction ID: 89fdf12524460136ab57e610acdd1b772909a78137c08d43a694e086b23ca89d
                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction Fuzzy Hash: A8218B71D01358EACB09DFF4DA969EDBBB4AF15318F20406DE42227291DB780E08CB62
                            Function 6BEEE234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J$DJ$`J
                            • API String ID: 3519838083-2453737217
                            • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction ID: 6138d7eef99630881653e66a277051bd723cf72fcb04bd8bf2c4fb5f69756143
                            • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction Fuzzy Hash: 061100B0900B64CEC724CF6AC55019AFBE4FFA5708B10CA1FC4A687B10D7F8A505CB99
                            Function 6BE9F69A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6BE9F724,?,?,6BE9F7A5,?,?,?), ref: 6BE9F6AF
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6BE9F6C2
                            • FreeLibrary.KERNEL32(00000000,?,?,6BE9F724,?,?,6BE9F7A5,?,?,?), ref: 6BE9F6E5
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 6e26db42e1780855222215157b1933c7628a77c9fc9304ccb90b1f826b012fe7
                            • Instruction ID: 67105444979304144bf341b65828ac69fdf1454a7f451d4be7aab1706c5ced0a
                            • Opcode Fuzzy Hash: 6e26db42e1780855222215157b1933c7628a77c9fc9304ccb90b1f826b012fe7
                            • Instruction Fuzzy Hash: 8DF05E31540218BBEB01AB90DD09F9E7B74AF40359F200061B415A1262CB38DA14DAD4
                            Function 6BE97897 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 6BE9789E
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6BE978A9
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6BE97917
                              • Part of subcall function 6BE977A0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6BE977B8
                            • std::locale::_Setgloballocale.LIBCPMT ref: 6BE978C4
                            • _Yarn.LIBCPMT ref: 6BE978DA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                            • String ID:
                            • API String ID: 1088826258-0
                            • Opcode ID: f82789f361005edd3edc2305e1a578a2598ef70cc60b14271d3d610d72c96509
                            • Instruction ID: afd04dbaf54053342a099d68ef579fe4b43ba4feaae728d319fd4c21f6eca78a
                            • Opcode Fuzzy Hash: f82789f361005edd3edc2305e1a578a2598ef70cc60b14271d3d610d72c96509
                            • Instruction Fuzzy Hash: 54019E756002119BDB06FB20E451A3C7B71FF86284B25004CE82597390DF389A1ECBD2
                            Function 6BF16E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $!$@
                            • API String ID: 3519838083-2517134481
                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction ID: 004ea119182ec5dbf266d91fa41a5b4b63a1613c9da2550ac45cf9464bae8458
                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction Fuzzy Hash: AA128176E0924AEFCF04CFB4C5909DDBBB1BF09304F148869E849AB761D739A951CB60
                            Function 6BEE2B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog__aulldiv
                            • String ID: $SJ
                            • API String ID: 4125985754-3948962906
                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction ID: eb8dc3e4906d654921320f1f14e06911cf5d18120d1d07389a3c6485287b7811
                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction Fuzzy Hash: 8FB14F71D0020ADFCB14CFA5C8819AEBBB1FF58314F20856ED559A7350D778AA56CFA0
                            Function 6BD62020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6BE97897: __EH_prolog3.LIBCMT ref: 6BE9789E
                              • Part of subcall function 6BE97897: std::_Lockit::_Lockit.LIBCPMT ref: 6BE978A9
                              • Part of subcall function 6BE97897: std::locale::_Setgloballocale.LIBCPMT ref: 6BE978C4
                              • Part of subcall function 6BE97897: _Yarn.LIBCPMT ref: 6BE978DA
                              • Part of subcall function 6BE97897: std::_Lockit::~_Lockit.LIBCPMT ref: 6BE97917
                              • Part of subcall function 6BD62F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BD62F95
                              • Part of subcall function 6BD62F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BD62FAF
                              • Part of subcall function 6BD62F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BD62FD0
                              • Part of subcall function 6BD62F60: __Getctype.LIBCPMT ref: 6BD63084
                              • Part of subcall function 6BD62F60: std::_Facet_Register.LIBCPMT ref: 6BD6309C
                              • Part of subcall function 6BD62F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BD630B7
                            • std::ios_base::_Addstd.LIBCPMT ref: 6BD6211B
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 3332196525-1866435925
                            • Opcode ID: bf45a489c3a73d51632629f8d78ceefbba4c4d792e8f9836f2626a5cd8ee0092
                            • Instruction ID: f1323cc6fa4b794816ef2e8ed7c79ae6343ab69695b421b0fe3c2cb6a04b9b60
                            • Opcode Fuzzy Hash: bf45a489c3a73d51632629f8d78ceefbba4c4d792e8f9836f2626a5cd8ee0092
                            • Instruction Fuzzy Hash: 3E41A1B1E003098FDB00DF64D8457AEBBB1FF48358F108268E919AF391E7799985CB91
                            Function 6BEE61D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $CK$CK
                            • API String ID: 3519838083-2957773085
                            • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction ID: fe262d10dc1cb4c948661bcd87b989027ad41598619317a85fa3f99393f3bf9c
                            • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction Fuzzy Hash: F6219071E016058FCB04DFE8C4811EEF7B6FF98308F64452EC622A7291D7784A438AA1
                            Function 6BEFD584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0$LrJ$x
                            • API String ID: 3519838083-658305261
                            • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                            • Instruction ID: 793abcf314f255a17331ec75ef6758590a3154adf058322c253afd6ee1ae33a4
                            • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                            • Instruction Fuzzy Hash: 5A216D3AD41119DACF05CBE8CA91AEEBBB9EF9830CF20005AD41177241DB7D5E15CBA2
                            Function 6BEF4EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6BEF4ECC
                              • Part of subcall function 6BEDF58A: __EH_prolog.LIBCMT ref: 6BEDF58F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :hJ$dJ$xJ
                            • API String ID: 3519838083-2437443688
                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction ID: 98ceb2682b5d76ca70b06e184e08239270038b9badac632be8ef23fd3fdf88b9
                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction Fuzzy Hash: 2921DAB0801B50DFC764CF7AC14424ABBF4BF29708B10C96EC0AA97B11E7B9A508CF55
                            Function 6BEAB300 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,6BEAB640,6BD61DEA,00008000,6BEAB640,?,?,?,6BEAB1EF,6BEAB640,?,00000000,6BD61DEA), ref: 6BEAB339
                            • GetLastError.KERNEL32(?,?,?,6BEAB1EF,6BEAB640,?,00000000,6BD61DEA,?,6BEB4C0E,6BEAB640,000000FF,000000FF,00000002,00008000,6BEAB640), ref: 6BEAB343
                            • __dosmaperr.LIBCMT ref: 6BEAB34A
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID: 8Q
                            • API String ID: 2336955059-4022487301
                            • Opcode ID: 2d00764a20ea6d01d28cff46b5347907e8a402adb16fc2f3cfd8358ee4b135de
                            • Instruction ID: 9a909acf4d1745e8d81e0618176f384d11e7977abe63730c6c03551ec6bd7d7c
                            • Opcode Fuzzy Hash: 2d00764a20ea6d01d28cff46b5347907e8a402adb16fc2f3cfd8358ee4b135de
                            • Instruction Fuzzy Hash: FE012832A14518ABCF05AF79DC05C5E3B3DDB86725B350248F8109B280EBB4D9158790
                            Function 6BEEBD0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: <J$DJ$HJ$TJ$]
                            • API String ID: 0-686860805
                            • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction ID: 78628404c709782e43d0a41dfdc504d623f1ffa8ea3a4b351cd5669975234a7c
                            • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction Fuzzy Hash: 9F417E30C44349AECB24DBB0D5D18EEB774AF11208F3081ADD12167265EB39E65ACB61
                            Function 6BEE6331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                            • Instruction ID: 108eebac4aa011a031a8e3235dc7852cdd1c8de9ee3d757fa094fce6fd1f5bda
                            • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                            • Instruction Fuzzy Hash: B511D272604205BFEB204EA4CC81EAFBBBDEFD5758F10842DB641522A0DB75AC12C730
                            Function 6BEA4F22 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,6BE9F4D4,6BEC6DF0,0000000C), ref: 6BEA4F27
                            • _free.LIBCMT ref: 6BEA4F84
                            • _free.LIBCMT ref: 6BEA4FBA
                            • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6BE9F4D4,6BEC6DF0,0000000C), ref: 6BEA4FC5
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast_free
                            • String ID:
                            • API String ID: 2283115069-0
                            • Opcode ID: aa5fc150c536e6ba3a9b5f5ddff5b07a4ddd9cfba0118183c076b64340bbfa14
                            • Instruction ID: f0ad0486e92f36c9bcc8fe7ac4d7cc21d356d34f2fd9f516a1874b538b1f119e
                            • Opcode Fuzzy Hash: aa5fc150c536e6ba3a9b5f5ddff5b07a4ddd9cfba0118183c076b64340bbfa14
                            • Instruction Fuzzy Hash: 5311C6366042047AAB116AB89C81E1B367EAFC277DB32267EF1359E2D0EF6DCC155110
                            Function 6BEB642A Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,?,6BEB4C5C,00000000,00000000,?,6BEB50C1,00000000,00000001,00000000,6BEAB640,?,6BEAC7F6,?,?,6BEAB640), ref: 6BEB6441
                            • GetLastError.KERNEL32(?,6BEB50C1,00000000,00000001,00000000,6BEAB640,?,6BEAC7F6,?,?,6BEAB640,?,6BEAB640,?,6BEAC28C,6BEB6026), ref: 6BEB644D
                              • Part of subcall function 6BEB649E: CloseHandle.KERNEL32(FFFFFFFE,6BEB645D,?,6BEB50C1,00000000,00000001,00000000,6BEAB640,?,6BEAC7F6,?,?,6BEAB640,?,6BEAB640), ref: 6BEB64AE
                            • ___initconout.LIBCMT ref: 6BEB645D
                              • Part of subcall function 6BEB647F: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6BEB641B,6BEB50AE,6BEAB640,?,6BEAC7F6,?,?,6BEAB640,?), ref: 6BEB6492
                            • WriteConsoleW.KERNEL32(00000000,?,6BEB4C5C,00000000,?,6BEB50C1,00000000,00000001,00000000,6BEAB640,?,6BEAC7F6,?,?,6BEAB640,?), ref: 6BEB6472
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: 14b3e9ec73931b01bf33ab7710054e9716b1a604290a2e8a137292aa75d40ed4
                            • Instruction ID: 50c84d81832c6cb53fdddb2b09bfca17a7754f3ce76303b7f826638b09a645af
                            • Opcode Fuzzy Hash: 14b3e9ec73931b01bf33ab7710054e9716b1a604290a2e8a137292aa75d40ed4
                            • Instruction Fuzzy Hash: 69F01C36440618BFCF222FA1DC04A9D7F36FF4A7A5B114060FA5885120CB32C8249B90
                            Function 6BECE072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6BECE077
                              • Part of subcall function 6BECDFF5: __EH_prolog.LIBCMT ref: 6BECDFFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :$\
                            • API String ID: 3519838083-1166558509
                            • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction ID: 1567e1e4202bc63303348660117129be7d3e7958a55111dc22c063c278f555f4
                            • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction Fuzzy Hash: 60E1DE30950A04DACB15CFA8C692BEFB7B1BF05318F20815DD87567290EB7DB95ACB42
                            Function 6BF1A354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog__aullrem
                            • String ID: d%K
                            • API String ID: 3415659256-3110269457
                            • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                            • Instruction ID: a1f05ec33b307ef39301b6b260575779bada892201ad09f8add9db793a794cc1
                            • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                            • Instruction Fuzzy Hash: 8581E673A082099FDF00CFA4C594BDEB7F5EF44354F108899E828AB265D779D909CBA1
                            Function 6BEA3694 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog3_
                            • String ID: 8Q
                            • API String ID: 2427045233-4022487301
                            • Opcode ID: 1f63818b3732e5bb85aec95cca9bee4372221c80c13128b4b3b60d55edfc7776
                            • Instruction ID: 5f63fa31291dc1a152ebbd7ee255e6e6e8f0588880ef8cf585d5e5a6a725c1da
                            • Opcode Fuzzy Hash: 1f63818b3732e5bb85aec95cca9bee4372221c80c13128b4b3b60d55edfc7776
                            • Instruction Fuzzy Hash: A6719475D002169BEB318FA5C880AAEF77DEF45358F30416AE8206F390DB7D9952CB61
                            Function 6BEF3C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$hfJ
                            • API String ID: 3519838083-1391159562
                            • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction ID: cac3ee09f62b2a6e08a3a8337fc466a56e16600879dfb36338186bc228c0ae0c
                            • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction Fuzzy Hash: A4912870D10349EFCB20DFA8C8949DEFBB8BF18308F64455EE455A7290D778AA45CB22
                            Function 6BEE8C58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6BEE8C5D
                              • Part of subcall function 6BEE761A: __EH_prolog.LIBCMT ref: 6BEE761F
                              • Part of subcall function 6BEE7A2E: __EH_prolog.LIBCMT ref: 6BEE7A33
                              • Part of subcall function 6BEE8EA5: __EH_prolog.LIBCMT ref: 6BEE8EAA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: WZJ
                            • API String ID: 3519838083-1089469559
                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction ID: 9c37fd4966586d236a5b61b46fb5de9b27f36714e853255d87a6dce18c8ef6c8
                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction Fuzzy Hash: 8C816935D00159DFCF15DFA4D991ADEB7B4AF18308F2040AEE416772A1DB38AE46CBA1
                            Function 6BD628E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                            • ___std_exception_destroy.LIBVCRUNTIME ref: 6BD62A76
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ___std_exception_destroy
                            • String ID: Jbx$Jbx
                            • API String ID: 4194217158-1161259238
                            • Opcode ID: 43172f14190f1fc322925fbf268b1d4d22e8bb83cb73188a8bacadb132c7cc3b
                            • Instruction ID: e40e01fc764b00deb07d7654776feafdec07043d0ddaf6e06390e3d0f61cf09c
                            • Opcode Fuzzy Hash: 43172f14190f1fc322925fbf268b1d4d22e8bb83cb73188a8bacadb132c7cc3b
                            • Instruction Fuzzy Hash: FB51E8B1900204DFCB14CF68D88169EBBB5EF89368F24856ED859DF341E339D985CB91
                            Function 6BEEFF9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: <dJ$Q
                            • API String ID: 3519838083-2252229148
                            • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction ID: e3f6f2f10372a83ccca9fcbfcdf198c00e58541396887ef68b8c97e405c43e41
                            • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction Fuzzy Hash: F5519F71D00209EFCF11CFA8D8909EEB7B5FF49308F20846EE522AB251D7399A56DB51
                            Function 6BEEB9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $D^J
                            • API String ID: 3519838083-3977321784
                            • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction ID: 2fa60816da68e8a798c6f5097dc9c042f98fd1838f79965882a8051fc2172045
                            • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction Fuzzy Hash: A2413820E047906EDB229E38C5D07EDBBA19F1634CF34819CC4AA47289DB6C5997C3B1
                            Function 6BEAD46E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6BEB4C46), ref: 6BEAD58B
                            • __dosmaperr.LIBCMT ref: 6BEAD592
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr
                            • String ID: 8Q
                            • API String ID: 1659562826-4022487301
                            • Opcode ID: ec477e16666143255683ca02a3a039d4c495f5cb5f5317a240ee4aa0f9dba518
                            • Instruction ID: fcddc7b7b7645c1588496a12bb140502c51a63c55a660743483c09a2fba609e2
                            • Opcode Fuzzy Hash: ec477e16666143255683ca02a3a039d4c495f5cb5f5317a240ee4aa0f9dba518
                            • Instruction Fuzzy Hash: A2415679644154AFDB11DF68C880BA97FEDEF4670CF348199EC808F241EB799C268790
                            Function 6BF0512C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: X&L$p|J
                            • API String ID: 3519838083-2944591232
                            • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                            • Instruction ID: 89302220980cd0c5a8e80addca54f522bed7f777d3a8325aa6274360061d3ad5
                            • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                            • Instruction Fuzzy Hash: 1E313A37A84105DBDB018B68DDB1BAE7771EF21714F10006AD710E25B2CFECC982EA55
                            Function 6BF04C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0|J$`)L
                            • API String ID: 3519838083-117937767
                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction ID: 0ebc8adea8b6fbe273ce1774d40e40d4adc506d53740a561ce6b2aa473dca798
                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction Fuzzy Hash: 0A41A032605745EFDB129FB4C5A0BAFBBB2FF55208F00446EE46A57271CB396900DB92
                            Function 6BF07CB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID: 3333
                            • API String ID: 3732870572-2924271548
                            • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction ID: 84f23503ab123be67afe3cd1732ae6fb355cfe7b287c8b4dbbbb7c24cd2abfc2
                            • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction Fuzzy Hash: CF21F7B29017046FD730CFB98881B6BFAF9FB84754F108D5EA586D3660DB74E8008B65
                            Function 6BF00906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$LuJ
                            • API String ID: 3519838083-205571748
                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction ID: 613419664d8bdd16758db5ef4a3e6ab2d724e0a34a874f4af69d1c60144a1f4d
                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction Fuzzy Hash: 1601C0B2E00309DADB10CFA984909AEF7B4FF59704F40842EE469E3360C7B85905CB99
                            Function 6BEDC0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$xMJ
                            • API String ID: 3519838083-951924499
                            • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction ID: dc6b2eed8ca48e5600eadb713946c70e2c8184a981f8827e256464cd043bdb38
                            • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction Fuzzy Hash: 19113C71E00249DBCB00CFA9C49059EF7B4FF58388B60C86EE469E7350D3789A16CB95
                            Function 6BEAE298 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6BEAE2B9
                            • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6BEAABAA,?,00000004,?,4B42FCB6,?,?,6BE9FCFC,4B42FCB6,?), ref: 6BEAE2F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1955666473.000000006BD11000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD10000, based on PE: true
                            • Associated: 00000006.00000002.1955611010.000000006BD10000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956877389.000000006BEB8000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1958193080.000000006C083000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: AllocHeap_free
                            • String ID: 8Q
                            • API String ID: 1080816511-4022487301
                            • Opcode ID: c70bb0d19439909a4c44d517481814087e8f65aa37935864c79f6d2d99669ae4
                            • Instruction ID: 09419340b36a3db179240e37873a24e3e99299b72ed5d5e5734a4b6f665d1410
                            • Opcode Fuzzy Hash: c70bb0d19439909a4c44d517481814087e8f65aa37935864c79f6d2d99669ae4
                            • Instruction Fuzzy Hash: E0F0C83152191465AB212A36EC61F4B3BAC9FC6B75B31416AF9149E290DF2CD81241B0
                            Function 6BEFA143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: <oJ
                            • API String ID: 3037903784-2791053824
                            • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction ID: c617b45762ca5cee3001712006707daf7ea1b297a74e90afa2703cc08ea7a520
                            • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction Fuzzy Hash: D2E02B73A51115DFD7049F58D411B9EF7B8EF40714F22005FE015A7351CBF9A811C680
                            Function 6BF03431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: |zJ
                            • API String ID: 3037903784-3782439380
                            • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                            • Instruction ID: e285232cd8e992a136bce7510224de12b5709ed71cd66b01560e2746daa2807a
                            • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                            • Instruction Fuzzy Hash: 72E0E537644121EBE7258F48D811B9EF3A4FF58B14F01405F9412A7171CFB8A8008681
                            Function 6BF2F4AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: @ K$DJ$T)K$X/K
                            • API String ID: 0-3815299647
                            • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                            • Instruction ID: 9a4d17009e1aa4c35bf6b92abd7c7821f7101d2a6dde000739f4db91c5e2d8d1
                            • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                            • Instruction Fuzzy Hash: 8591F236A143059BCF40DEB4C6517EF77A2EF4130CF20486DC8665B2A6CB7DA906CB52
                            Function 6BF24E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1956955249.000000006BEC8000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEC8000, based on PE: true
                            • Associated: 00000006.00000002.1957507495.000000006BF93000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1957538907.000000006BF99000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bd10000_#U5b89#U88c5#U52a9#U624b2.jbxd
                            Similarity
                            • API ID:
                            • String ID: D)K$H)K$P)K$T)K
                            • API String ID: 0-2262112463
                            • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                            • Instruction ID: 6e8bb1afcf35fa2d4794e791e6ab36e7c73a1e26b581a9fd2c4c83c9ddd8bba6
                            • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                            • Instruction Fuzzy Hash: EB51DE3690420ADBCF05CFE4D941ADFB7B1AF4531CF20406EE961672A1DBBD9944CB92

                            Execution Graph

                            Execution Coverage:4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0.4%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:58
                            execution_graph 73226 226ba3 VirtualFree 73227 237da0 WaitForSingleObject 73228 237dc1 73227->73228 73229 237dbb GetLastError 73227->73229 73230 237dce CloseHandle 73228->73230 73231 237ddf 73228->73231 73229->73228 73230->73231 73232 237dd9 GetLastError 73230->73232 73232->73231 73233 1ab5d9 73234 1ab5e6 73233->73234 73238 1ab5f7 73233->73238 73234->73238 73239 1ab5fe 73234->73239 73240 1ab608 __EH_prolog 73239->73240 73246 226a40 VirtualFree 73240->73246 73242 1ab63d 73247 1a764c 73242->73247 73245 1a1e40 free 73245->73238 73246->73242 73248 1a7656 CloseHandle 73247->73248 73249 1a7661 73247->73249 73248->73249 73249->73245 73250 1b1ade 73251 1b1ae8 __EH_prolog 73250->73251 73301 1a13f5 73251->73301 73254 1b1b32 6 API calls 73256 1b1b8d 73254->73256 73264 1b1bf8 73256->73264 73319 1b1ea4 9 API calls 73256->73319 73257 1b1b24 _CxxThrowException 73257->73254 73259 1b1bdf 73320 1a27bb 73259->73320 73265 1b1c89 73264->73265 73327 1c1d73 5 API calls __EH_prolog 73264->73327 73315 1b1eb9 73265->73315 73269 1b1cb2 _CxxThrowException 73269->73265 73302 1a13ff __EH_prolog 73301->73302 73328 1c7ebb 73302->73328 73305 1a1438 73332 1a1e0c 73305->73332 73309 1a144d 73312 1a1507 73309->73312 73314 1a14f4 73309->73314 73338 1a1265 5 API calls 2 library calls 73309->73338 73339 1e04d2 73309->73339 73345 1a1524 malloc _CxxThrowException __EH_prolog ctype 73309->73345 73346 1a2fec 73312->73346 73314->73254 73318 1c1d73 5 API calls __EH_prolog 73314->73318 73354 1a9313 GetCurrentProcess OpenProcessToken 73315->73354 73318->73257 73319->73259 73321 1a27c7 73320->73321 73323 1a27e3 73320->73323 73322 1a1e0c ctype 2 API calls 73321->73322 73321->73323 73324 1a27da 73322->73324 73326 1a1e40 free 73323->73326 73361 1a1e40 free 73324->73361 73326->73264 73327->73269 73329 1a142b 73328->73329 73330 1c7ec6 73328->73330 73329->73305 73337 1a1212 free ctype 73329->73337 73330->73329 73331 1a1e40 free ctype 73330->73331 73331->73330 73333 1a1e1c malloc 73332->73333 73334 1a1e15 73332->73334 73335 1a1e2a _CxxThrowException 73333->73335 73336 1a1e3e 73333->73336 73334->73333 73335->73336 73336->73309 73337->73305 73338->73309 73340 1e04df 73339->73340 73341 1e0513 73339->73341 73342 1e04fd 73340->73342 73343 1e04e8 _CxxThrowException 73340->73343 73341->73309 73352 1e0551 malloc _CxxThrowException free memcpy ctype 73342->73352 73343->73342 73345->73309 73347 1a2ffc 73346->73347 73349 1a2ff8 73346->73349 73348 1a1e0c ctype 2 API calls 73347->73348 73347->73349 73350 1a3010 73348->73350 73349->73314 73353 1a1e40 free 73350->73353 73352->73341 73353->73349 73355 1a933a LookupPrivilegeValueW 73354->73355 73356 1a9390 73354->73356 73357 1a934c AdjustTokenPrivileges 73355->73357 73358 1a9382 73355->73358 73357->73358 73360 1a9372 GetLastError 73357->73360 73359 1a9385 CloseHandle 73358->73359 73359->73356 73360->73359 73361->73323 73362 1b459e 73363 1b45ab 73362->73363 73364 1b45bc 73362->73364 73363->73364 73368 1b45c3 73363->73368 73369 1b45cd __EH_prolog 73368->73369 73397 1b79b2 free ctype 73369->73397 73371 1b45e8 73398 1a1e40 free 73371->73398 73373 1b45f3 73399 1d2db9 free ctype 73373->73399 73375 1b4609 73400 1a1e40 free 73375->73400 73377 1b4610 73401 1a1e40 free 73377->73401 73379 1b461b 73402 1a1e40 free 73379->73402 73381 1b4626 73403 1b794c free ctype 73381->73403 73383 1b4638 73404 1d2db9 free ctype 73383->73404 73385 1b465b 73405 1a1e40 free 73385->73405 73387 1b468e 73406 1a1e40 free 73387->73406 73389 1b46ae 73407 1b4733 free __EH_prolog ctype 73389->73407 73391 1b46be 73408 1a1e40 free 73391->73408 73393 1b46e8 73409 1a1e40 free 73393->73409 73395 1b45b6 73396 1a1e40 free 73395->73396 73396->73364 73397->73371 73398->73373 73399->73375 73400->73377 73401->73379 73402->73381 73403->73383 73404->73385 73405->73387 73406->73389 73407->73391 73408->73393 73409->73395 73410 1a42d1 73411 1a42bd 73410->73411 73412 1a42c5 73411->73412 73413 1a1e0c ctype 2 API calls 73411->73413 73413->73412 73414 1dacd3 73415 1dacf1 73414->73415 73416 1dace0 73414->73416 73416->73415 73420 1dacf8 73416->73420 73425 1dc0b3 __EH_prolog 73420->73425 73421 1dc0ed 73437 1a1e40 free 73421->73437 73423 1daceb 73427 1a1e40 free 73423->73427 73425->73421 73428 1c7193 73425->73428 73436 1a1e40 free 73425->73436 73427->73415 73429 1c719d __EH_prolog 73428->73429 73438 1d2db9 free ctype 73429->73438 73431 1c71b3 73439 1c71d5 free __EH_prolog ctype 73431->73439 73433 1c71bf 73440 1a1e40 free 73433->73440 73435 1c71c7 73435->73425 73436->73425 73437->73423 73438->73431 73439->73433 73440->73435 73444 23ffb1 __setusermatherr 73445 23ffbd 73444->73445 73449 240068 _controlfp 73445->73449 73447 23ffc2 _initterm __getmainargs _initterm __p___initenv 73448 1dc27c 73447->73448 73449->73447 73450 2269f0 free 73451 1cd948 73481 1cdac7 73451->73481 73453 1cd94f 73489 1a2e04 73453->73489 73456 1a2e04 2 API calls 73457 1cd987 73456->73457 73460 1cd9e7 73457->73460 73492 1a6404 73457->73492 73462 1cda0f 73460->73462 73463 1cda36 73460->73463 73517 1a1e40 free 73462->73517 73465 1cda94 73463->73465 73478 1e04d2 5 API calls 73463->73478 73519 1a2da9 73463->73519 73522 1a1524 malloc _CxxThrowException __EH_prolog ctype 73463->73522 73523 1a1e40 free 73463->73523 73524 1a1e40 free 73465->73524 73467 1cd9bf 73515 1a1e40 free 73467->73515 73469 1cda17 73518 1a1e40 free 73469->73518 73471 1cd9c7 73516 1a1e40 free 73471->73516 73472 1cda9c 73525 1a1e40 free 73472->73525 73477 1cd9cf 73478->73463 73482 1cdad1 __EH_prolog 73481->73482 73483 1a2e04 2 API calls 73482->73483 73484 1cdb33 73483->73484 73485 1a2e04 2 API calls 73484->73485 73486 1cdb3f 73485->73486 73487 1a2e04 2 API calls 73486->73487 73488 1cdb55 73487->73488 73488->73453 73490 1a1e0c ctype 2 API calls 73489->73490 73491 1a2e11 73490->73491 73491->73456 73526 1a631f 73492->73526 73495 1a6423 73530 1a2f88 73495->73530 73496 1a2f88 3 API calls 73496->73495 73499 1b7e5a 73500 1b7e64 __EH_prolog 73499->73500 73596 1b8179 73500->73596 73503 1c7ebb free 73504 1b7e7f 73503->73504 73505 1a2fec 3 API calls 73504->73505 73506 1b7e9a 73505->73506 73507 1a2da9 2 API calls 73506->73507 73508 1b7ea7 73507->73508 73601 1a6c72 73508->73601 73512 1b7ecb 73513 1b7ed8 73512->73513 73700 1a757d GetLastError 73512->73700 73513->73460 73513->73467 73515->73471 73516->73477 73517->73469 73518->73477 73885 1a2d4d 73519->73885 73521 1a2dc6 73521->73463 73522->73463 73523->73463 73524->73472 73525->73477 73527 1a9245 73526->73527 73536 1a90da 73527->73536 73531 1a2f9a 73530->73531 73531->73531 73532 1a2fbe 73531->73532 73533 1a1e0c ctype 2 API calls 73531->73533 73532->73499 73534 1a2fb4 73533->73534 73595 1a1e40 free 73534->73595 73537 1a90e4 __EH_prolog 73536->73537 73538 1a2f88 3 API calls 73537->73538 73540 1a90f7 73538->73540 73539 1a915d 73541 1a2e04 2 API calls 73539->73541 73540->73539 73545 1a9109 73540->73545 73542 1a9165 73541->73542 73543 1a91be 73542->73543 73547 1a9174 73542->73547 73586 1a6332 6 API calls 2 library calls 73543->73586 73546 1a6414 73545->73546 73577 1a2e47 73545->73577 73546->73495 73546->73496 73550 1a2f88 3 API calls 73547->73550 73548 1a917d 73575 1a91ca 73548->73575 73584 1a859e malloc _CxxThrowException free _CxxThrowException 73548->73584 73550->73548 73554 1a912e 73557 1a914d 73554->73557 73582 1a31e5 malloc _CxxThrowException free _CxxThrowException 73554->73582 73556 1a9185 73560 1a2e04 2 API calls 73556->73560 73583 1a1e40 free 73557->73583 73561 1a9197 73560->73561 73562 1a91ce 73561->73562 73563 1a919f 73561->73563 73565 1a2f88 3 API calls 73562->73565 73564 1a91b9 73563->73564 73585 1a1089 malloc _CxxThrowException free _CxxThrowException 73563->73585 73587 1a3199 malloc _CxxThrowException free _CxxThrowException 73564->73587 73565->73564 73568 1a91e6 73588 1a8f57 memmove 73568->73588 73570 1a91f2 73590 1a1e40 free 73570->73590 73571 1a91ee 73571->73570 73572 1a2fec 3 API calls 73571->73572 73574 1a9212 73572->73574 73589 1a31e5 malloc _CxxThrowException free _CxxThrowException 73574->73589 73591 1a1e40 free 73575->73591 73578 1a2e57 73577->73578 73592 1a2ba6 73578->73592 73581 1a8f57 memmove 73581->73554 73582->73557 73583->73546 73584->73556 73585->73564 73586->73548 73587->73568 73588->73571 73589->73570 73590->73575 73591->73546 73593 1a1e0c ctype 2 API calls 73592->73593 73594 1a2bbb 73593->73594 73594->73581 73595->73532 73599 1b8906 73596->73599 73597 1b7e77 73597->73503 73599->73597 73701 1b8804 free ctype 73599->73701 73702 1a1e40 free 73599->73702 73603 1a6c7c __EH_prolog 73601->73603 73602 1a6cd3 73605 1a6ce2 73602->73605 73608 1a6d87 73602->73608 73603->73602 73604 1a6cb7 73603->73604 73606 1a2f88 3 API calls 73604->73606 73607 1a2f88 3 API calls 73605->73607 73609 1a6cc7 73606->73609 73613 1a6cf5 73607->73613 73610 1a2e47 2 API calls 73608->73610 73618 1a6f4a 73608->73618 73699 1a1e40 free 73609->73699 73611 1a6db0 73610->73611 73614 1a2e47 2 API calls 73611->73614 73612 1a6d4a 73720 1a7b41 28 API calls 73612->73720 73613->73612 73615 1a6d0b 73613->73615 73623 1a6dc0 73614->73623 73719 1a9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73615->73719 73617 1a6fd1 73625 1a6ff2 73617->73625 73626 1a6fed 73617->73626 73643 1a701d 73617->73643 73618->73617 73621 1a6f7e 73618->73621 73620 1a6d5f 73629 1a764c CloseHandle 73620->73629 73738 1a6bf5 73621->73738 73622 1a6d36 73622->73612 73628 1a6d3a 73622->73628 73635 1a6dfe 73623->73635 73721 1a3221 malloc _CxxThrowException free _CxxThrowException 73623->73721 73633 1a6fca 73625->73633 73703 1a6868 73625->73703 73630 1a6bf5 11 API calls 73626->73630 73628->73609 73629->73609 73630->73625 73639 1a6848 FindClose 73633->73639 73634 1a6f99 73642 1a2f88 3 API calls 73634->73642 73636 1a6e43 73635->73636 73649 1a6e1e 73635->73649 73638 1a6c72 42 API calls 73636->73638 73641 1a6e4e 73638->73641 73639->73609 73644 1a6f3a 73641->73644 73645 1a6e41 73641->73645 73646 1a6fb0 73642->73646 73643->73625 73753 1a717b 13 API calls 73643->73753 73736 1a1e40 free 73644->73736 73722 1a2f1c 73645->73722 73752 1a717b 13 API calls 73646->73752 73649->73645 73650 1a2fec 3 API calls 73649->73650 73650->73645 73652 1a7052 73655 1a7056 73652->73655 73656 1a7064 73652->73656 73654 1a6f42 73737 1a1e40 free 73654->73737 73659 1a2f88 3 API calls 73655->73659 73661 1a2e47 2 API calls 73656->73661 73657 1a6e77 73660 1a2e04 2 API calls 73657->73660 73662 1a705f 73659->73662 73686 1a6e83 73660->73686 73663 1a706d 73661->73663 73666 1a6848 FindClose 73662->73666 73754 1a1089 malloc _CxxThrowException free _CxxThrowException 73663->73754 73666->73609 73667 1a707b 73755 1a1089 malloc _CxxThrowException free _CxxThrowException 73667->73755 73668 1a6ecf 73729 1a1e40 free 73668->73729 73670 1a7085 73672 1a6868 12 API calls 73670->73672 73671 1a6ec7 SetLastError 73671->73668 73676 1a7095 73672->73676 73675 1a6f11 73730 1a1e40 free 73675->73730 73679 1a7099 wcscmp 73676->73679 73680 1a70bb 73676->73680 73678 1a6ed3 73728 1a31e5 malloc _CxxThrowException free _CxxThrowException 73678->73728 73679->73680 73683 1a70b1 73679->73683 73684 1a6bf5 11 API calls 73680->73684 73681 1a6f19 73689 1a2f88 3 API calls 73683->73689 73687 1a70c6 73684->73687 73686->73668 73686->73671 73686->73678 73691 1a2e04 2 API calls 73686->73691 73725 1a6bb5 17 API calls 73686->73725 73726 1a22bf CharUpperW 73686->73726 73727 1a1e40 free 73686->73727 73687->73683 73694 1a70d8 73687->73694 73692 1a714c 73689->73692 73691->73686 73699->73512 73700->73513 73701->73599 73702->73599 73704 1a6872 __EH_prolog 73703->73704 73705 1a6848 FindClose 73704->73705 73707 1a6880 73705->73707 73706 1a68f6 73706->73633 73757 1a717b 13 API calls 73706->73757 73707->73706 73708 1a689b FindFirstFileW 73707->73708 73709 1a68a9 73707->73709 73708->73709 73710 1a68ee 73709->73710 73712 1a2e04 2 API calls 73709->73712 73710->73706 73765 1a6919 malloc _CxxThrowException free 73710->73765 73713 1a68ba 73712->73713 73759 1a8b4a 73713->73759 73715 1a68d0 73716 1a68e2 73715->73716 73717 1a68d4 FindFirstFileW 73715->73717 73764 1a1e40 free 73716->73764 73717->73716 73719->73622 73720->73620 73721->73635 73723 1a2ba6 2 API calls 73722->73723 73724 1a2f2c 73723->73724 73724->73657 73724->73724 73725->73686 73726->73686 73727->73686 73728->73668 73729->73675 73730->73681 73736->73654 73737->73618 73739 1a6bff __EH_prolog 73738->73739 73740 1a6c19 GetFileAttributesW 73739->73740 73741 1a6c21 73739->73741 73740->73741 73750 1a6c5f 73740->73750 73742 1a2e04 2 API calls 73741->73742 73741->73750 73743 1a6c2d 73742->73743 73744 1a8b4a 9 API calls 73743->73744 73745 1a6c42 73744->73745 73746 1a6c5a 73745->73746 73747 1a6c49 GetFileAttributesW 73745->73747 73884 1a1e40 free 73746->73884 73883 1a1e40 free 73747->73883 73750->73625 73750->73634 73751 1a6c55 73751->73750 73752->73633 73753->73652 73754->73667 73755->73670 73757->73633 73766 1a8b80 73759->73766 73761 1a8b6e 73761->73715 73763 1a2f88 3 API calls 73763->73761 73764->73710 73765->73706 73768 1a8b8a __EH_prolog 73766->73768 73767 1a8b55 73767->73761 73767->73763 73768->73767 73769 1a8c7b 73768->73769 73775 1a8be1 73768->73775 73770 1a8d23 73769->73770 73772 1a8c8f 73769->73772 73771 1a8e8a 73770->73771 73774 1a8d3b 73770->73774 73773 1a2e47 2 API calls 73771->73773 73772->73774 73778 1a8c9e 73772->73778 73777 1a2e04 2 API calls 73774->73777 73775->73767 73779 1a2e47 2 API calls 73775->73779 73780 1a8d43 73777->73780 73781 1a2e47 2 API calls 73778->73781 73782 1a8c05 73779->73782 73794 1a8ca7 73781->73794 73789 1a8c17 73782->73789 73790 1a8c24 73782->73790 73853 1a1e40 free 73789->73853 73853->73767 73883->73751 73884->73750 73886 1a2ba6 2 API calls 73885->73886 73887 1a2d68 73886->73887 73887->73521 73887->73887 73888 1ca7c5 73907 1ca7e9 73888->73907 73934 1ca96b 73888->73934 73889 1cade3 73993 1a1e40 free 73889->73993 73891 1ca952 73891->73934 73974 1ce0b0 6 API calls 73891->73974 73892 1cadeb 73994 1a1e40 free 73892->73994 73896 1cac1e 73980 1a1e40 free 73896->73980 73897 1cae99 73898 1a1e0c ctype 2 API calls 73897->73898 73902 1caea9 memset memset 73898->73902 73901 1e04d2 malloc _CxxThrowException free _CxxThrowException memcpy 73904 1cadf3 73901->73904 73905 1caedd 73902->73905 73903 1cac26 73981 1a1e40 free 73903->73981 73904->73897 73904->73901 73995 1a1e40 free 73905->73995 73907->73891 73913 1e04d2 5 API calls 73907->73913 73973 1ce0b0 6 API calls 73907->73973 73910 1caee5 73996 1a1e40 free 73910->73996 73913->73907 73914 1caef0 73997 1a1e40 free 73914->73997 73918 1cc430 73999 1a1e40 free 73918->73999 73920 1cac6c 73982 1a1e40 free 73920->73982 73921 1cc438 74000 1a1e40 free 73921->74000 73925 1cc443 74001 1a1e40 free 73925->74001 73926 1cac85 73983 1a1e40 free 73926->73983 73929 1cc44e 74002 1a1e40 free 73929->74002 73931 1cac2e 73998 1a1e40 free 73931->73998 73932 1cc459 73934->73889 73934->73896 73934->73920 73935 1cad88 73934->73935 73939 1cad17 73934->73939 73941 1cacbc 73934->73941 73955 1b101c 73934->73955 73958 1c98f2 73934->73958 73964 1ccc6f 73934->73964 73975 1c9531 5 API calls __EH_prolog 73934->73975 73976 1c80c1 malloc _CxxThrowException __EH_prolog 73934->73976 73977 1cc820 5 API calls 2 library calls 73934->73977 73978 1c814d 6 API calls 73934->73978 73979 1c8125 free ctype 73934->73979 73990 1c8125 free ctype 73935->73990 73987 1c8125 free ctype 73939->73987 73940 1cad93 73991 1a1e40 free 73940->73991 73984 1c8125 free ctype 73941->73984 73945 1cacc7 73985 1a1e40 free 73945->73985 73946 1cad3c 73988 1a1e40 free 73946->73988 73947 1cadac 73992 1a1e40 free 73947->73992 73951 1cace0 73986 1a1e40 free 73951->73986 73952 1cad55 73989 1a1e40 free 73952->73989 74003 1ab95a 73955->74003 73959 1c98fc __EH_prolog 73958->73959 74019 1c9987 73959->74019 73961 1c9970 73961->73934 73962 1c9911 73962->73961 74023 1cef8d 12 API calls 2 library calls 73962->74023 74063 1ef445 73964->74063 74069 1ecf91 73964->74069 74077 1e5505 73964->74077 73965 1ccc8b 73969 1ccccb 73965->73969 74081 1c979e VariantClear __EH_prolog 73965->74081 73967 1cccb1 73967->73969 74082 1ccae9 VariantClear 73967->74082 73969->73934 73973->73907 73974->73934 73975->73934 73976->73934 73977->73934 73978->73934 73979->73934 73980->73903 73981->73931 73982->73926 73983->73931 73984->73945 73985->73951 73986->73931 73987->73946 73988->73952 73989->73931 73990->73940 73991->73947 73992->73931 73993->73892 73994->73904 73995->73910 73996->73914 73997->73931 73998->73918 73999->73921 74000->73925 74001->73929 74002->73932 74004 1ab969 74003->74004 74005 1ab97d 74003->74005 74004->74005 74009 1a7731 74004->74009 74005->73934 74007 1ab9ee 74007->74005 74017 1ab8ec GetLastError 74007->74017 74010 1a775c SetFilePointer 74009->74010 74013 1a7740 74009->74013 74011 1a7780 GetLastError 74010->74011 74016 1a77a1 74010->74016 74012 1a778c 74011->74012 74011->74016 74018 1a76d6 SetFilePointer GetLastError 74012->74018 74013->74010 74015 1a7796 SetLastError 74015->74016 74016->74007 74017->74005 74018->74015 74020 1c9991 __EH_prolog 74019->74020 74024 1f80aa 74020->74024 74021 1c99a8 74021->73962 74023->73961 74025 1f80b4 __EH_prolog 74024->74025 74026 1a1e0c ctype 2 API calls 74025->74026 74027 1f80bf 74026->74027 74028 1f80d3 74027->74028 74030 1ebdb5 74027->74030 74028->74021 74031 1ebdbf __EH_prolog 74030->74031 74036 1ebe69 74031->74036 74033 1ebdef 74034 1a2e04 2 API calls 74033->74034 74035 1ebe16 74034->74035 74035->74028 74037 1ebe73 __EH_prolog 74036->74037 74040 1e5e2b 74037->74040 74039 1ebe7f 74039->74033 74041 1e5e35 __EH_prolog 74040->74041 74046 1e08b6 74041->74046 74043 1e5e41 74051 1bdfc9 malloc _CxxThrowException __EH_prolog 74043->74051 74045 1e5e57 74045->74039 74052 1a9c60 74046->74052 74048 1e08c4 74057 1a9c8f GetModuleHandleA GetProcAddress 74048->74057 74050 1e08f3 __aulldiv 74050->74043 74051->74045 74062 1a9c4d GetCurrentProcess GetProcessAffinityMask 74052->74062 74054 1a9c6e 74055 1a9c80 GetSystemInfo 74054->74055 74056 1a9c79 74054->74056 74055->74048 74056->74048 74058 1a9cef GlobalMemoryStatus 74057->74058 74059 1a9cc4 GlobalMemoryStatusEx 74057->74059 74060 1a9d08 74058->74060 74059->74058 74061 1a9cce 74059->74061 74060->74061 74061->74050 74062->74054 74064 1ef455 74063->74064 74083 1b1092 74064->74083 74068 1ef478 74068->73965 74070 1ecf9b __EH_prolog 74069->74070 74071 1ef445 14 API calls 74070->74071 74072 1ed018 74071->74072 74076 1ed01f 74072->74076 74135 1f1511 74072->74135 74074 1ed08b 74074->74076 74141 1f2c5d 11 API calls 2 library calls 74074->74141 74076->73965 74078 1e550f __EH_prolog 74077->74078 74498 1e4e8a 74078->74498 74081->73967 74082->73969 74085 1ab95a 6 API calls 74083->74085 74084 1b10aa 74084->74068 74086 1ef1b2 74084->74086 74085->74084 74087 1ef1bc __EH_prolog 74086->74087 74096 1b1168 74087->74096 74089 1ef1d3 74090 1ef21c _CxxThrowException 74089->74090 74091 1ef231 memcpy 74089->74091 74092 1ef1e6 74089->74092 74090->74091 74094 1ef24c 74091->74094 74092->74068 74093 1ef2f0 memmove 74093->74094 74094->74092 74094->74093 74095 1ef31a memcpy 74094->74095 74095->74092 74099 1b111c 74096->74099 74100 1b1130 74099->74100 74101 1b115f 74100->74101 74104 1ad331 74100->74104 74108 1ab668 74100->74108 74101->74089 74105 1ad355 74104->74105 74106 1ad374 74105->74106 74107 1ab668 10 API calls 74105->74107 74106->74100 74107->74106 74111 1ab675 74108->74111 74113 1a7731 5 API calls 74111->74113 74115 1ab81b 74111->74115 74116 1ab7e7 74111->74116 74117 1ab811 74111->74117 74119 1ab7ad 74111->74119 74120 1ab6aa 74111->74120 74125 1ab864 74111->74125 74132 1a7b4f ReadFile 74111->74132 74112 1ab8aa GetLastError 74112->74120 74113->74111 74114 1ab839 memcpy 74114->74120 74115->74114 74115->74120 74118 1a7731 5 API calls 74116->74118 74116->74125 74133 1ab8ec GetLastError 74117->74133 74121 1ab80d 74118->74121 74119->74111 74126 1ab8c7 74119->74126 74131 226a20 VirtualAlloc 74119->74131 74120->74100 74121->74117 74121->74125 74127 1a7b7c 74125->74127 74126->74120 74128 1a7b89 74127->74128 74134 1a7b4f ReadFile 74128->74134 74130 1a7b9a 74130->74112 74130->74120 74131->74119 74132->74111 74133->74120 74134->74130 74136 1f151b __EH_prolog 74135->74136 74142 1f10d3 74136->74142 74139 1f1589 74139->74074 74140 1f1552 _CxxThrowException 74140->74074 74141->74076 74143 1f10dd __EH_prolog 74142->74143 74174 1ed1b7 74143->74174 74145 1f12ef 74145->74139 74145->74140 74146 1f11f4 74146->74145 74173 1ab95a 6 API calls 74146->74173 74147 1f139e 74147->74145 74148 1f13c4 74147->74148 74150 1a1e0c ctype 2 API calls 74147->74150 74151 1b1168 10 API calls 74148->74151 74150->74148 74155 1f13da 74151->74155 74152 1b1168 10 API calls 74152->74146 74153 1f13de 74222 1a1e40 free 74153->74222 74155->74153 74157 1f13f9 74155->74157 74216 1eef67 _CxxThrowException 74155->74216 74181 1ef047 74157->74181 74160 1f14ba 74220 1f0943 50 API calls 2 library calls 74160->74220 74161 1f1450 74185 1f06ae 74161->74185 74165 1f14e7 74221 1d2db9 free ctype 74165->74221 74173->74147 74223 1ed23c 74174->74223 74176 1ed1ed 74230 1a1e40 free 74176->74230 74178 1ed209 74231 1a1e40 free 74178->74231 74180 1ed21c 74180->74145 74180->74146 74180->74152 74182 1ef063 74181->74182 74183 1ef072 74182->74183 74259 1eef67 _CxxThrowException 74182->74259 74183->74160 74183->74161 74217 1eef67 _CxxThrowException 74183->74217 74186 1f06b8 __EH_prolog 74185->74186 74260 1f03f4 74186->74260 74216->74157 74217->74161 74220->74165 74221->74153 74222->74145 74232 1ed2b8 74223->74232 74226 1ed25e 74249 1a1e40 free 74226->74249 74229 1ed275 74229->74176 74230->74178 74231->74180 74251 1a1e40 free 74232->74251 74234 1ed2c8 74252 1a1e40 free 74234->74252 74236 1ed2dc 74253 1a1e40 free 74236->74253 74238 1ed2e7 74254 1a1e40 free 74238->74254 74240 1ed2f2 74255 1a1e40 free 74240->74255 74242 1ed2fd 74256 1a1e40 free 74242->74256 74244 1ed308 74257 1a1e40 free 74244->74257 74246 1ed313 74248 1ed246 74246->74248 74258 1a1e40 free 74246->74258 74248->74226 74250 1a1e40 free 74248->74250 74249->74229 74250->74226 74251->74234 74252->74236 74253->74238 74254->74240 74255->74242 74256->74244 74257->74246 74258->74248 74259->74183 74261 1ef047 _CxxThrowException 74260->74261 74262 1f0407 74261->74262 74263 1ef047 _CxxThrowException 74262->74263 74264 1f0475 74262->74264 74267 1f0421 74263->74267 74269 1f049a 74264->74269 74404 1efa3f 22 API calls 2 library calls 74264->74404 74265 1f04b8 74266 1f04e8 74265->74266 74270 1f04cd 74265->74270 74407 1f7c4a malloc _CxxThrowException free ctype 74266->74407 74271 1f043e 74267->74271 74401 1eef67 _CxxThrowException 74267->74401 74269->74265 74405 1f159a malloc _CxxThrowException free ctype 74269->74405 74406 1efff0 9 API calls 2 library calls 74270->74406 74402 1ef93c 7 API calls 2 library calls 74271->74402 74273 1f0492 74276 1ef047 _CxxThrowException 74273->74276 74276->74269 74278 1f04db 74282 1ef047 _CxxThrowException 74278->74282 74280 1f04e3 74284 1f054a 74280->74284 74409 1eef67 _CxxThrowException 74280->74409 74281 1f0446 74283 1f046d 74281->74283 74403 1eef67 _CxxThrowException 74281->74403 74282->74280 74285 1ef047 _CxxThrowException 74283->74285 74285->74264 74288 1f04f3 74288->74280 74408 1b089e malloc _CxxThrowException free _CxxThrowException memcpy 74288->74408 74401->74271 74402->74281 74403->74283 74404->74273 74405->74265 74406->74278 74407->74288 74408->74288 74409->74284 74499 1e4e94 __EH_prolog 74498->74499 74500 1a2e04 2 API calls 74499->74500 74516 1e4f1d 74499->74516 74501 1e4ed7 74500->74501 74630 1b7fc5 74501->74630 74503 1e4f0a 74651 1a965d 74503->74651 74504 1e4f37 74505 1e4f63 74504->74505 74506 1e4f41 74504->74506 74509 1a2f88 3 API calls 74505->74509 74508 1a965d VariantClear 74506->74508 74511 1e4f4c 74508->74511 74512 1e4f71 74509->74512 74656 1a1e40 free 74511->74656 74515 1a965d VariantClear 74512->74515 74517 1e4f80 74515->74517 74516->73965 74657 1b5bcf malloc _CxxThrowException 74517->74657 74519 1e4f9a 74520 1a2e47 2 API calls 74519->74520 74521 1e4fad 74520->74521 74522 1a2f1c 2 API calls 74521->74522 74523 1e4fbd 74522->74523 74524 1a2e04 2 API calls 74523->74524 74525 1e4fd1 74524->74525 74526 1a2e04 2 API calls 74525->74526 74533 1e4fdd 74526->74533 74527 1e5404 74702 1a1e40 free 74527->74702 74529 1e540c 74703 1a1e40 free 74529->74703 74531 1e5414 74704 1a1e40 free 74531->74704 74533->74527 74658 1b5bcf malloc _CxxThrowException 74533->74658 74535 1e5099 74537 1a2da9 2 API calls 74535->74537 74536 1e541c 74705 1a1e40 free 74536->74705 74539 1e50a9 74537->74539 74541 1a2fec 3 API calls 74539->74541 74540 1e5424 74706 1a1e40 free 74540->74706 74543 1e50b6 74541->74543 74659 1a1e40 free 74543->74659 74544 1e542c 74707 1a1e40 free 74544->74707 74547 1e50be 74660 1a1e40 free 74547->74660 74549 1e50cd 74550 1a2f88 3 API calls 74549->74550 74551 1e50e3 74550->74551 74552 1e5100 74551->74552 74553 1e50f1 74551->74553 74667 1a3044 malloc _CxxThrowException free ctype 74552->74667 74661 1a30ea 74553->74661 74556 1e50fe 74668 1b1029 6 API calls 74556->74668 74558 1e511a 74559 1e516b 74558->74559 74560 1e5120 74558->74560 74675 1b089e malloc _CxxThrowException free _CxxThrowException memcpy 74559->74675 74669 1a1e40 free 74560->74669 74563 1e5187 74567 1e04d2 5 API calls 74563->74567 74564 1e5128 74670 1a1e40 free 74564->74670 74566 1e5130 74671 1a1e40 free 74566->74671 74569 1e51ba 74567->74569 74676 1e0516 malloc _CxxThrowException ctype 74569->74676 74570 1e5138 74672 1a1e40 free 74570->74672 74573 1e51c5 74577 1e522d 74573->74577 74578 1e51f5 74573->74578 74574 1e5140 74673 1a1e40 free 74574->74673 74576 1e5148 74580 1a2e04 2 API calls 74577->74580 74677 1a1e40 free 74578->74677 74627 1e5235 74580->74627 74582 1e51fd 74678 1a1e40 free 74582->74678 74586 1e532e 74595 1e53a3 74611 1e04d2 5 API calls 74611->74627 74627->74586 74627->74595 74627->74611 74628 1a2e04 2 API calls 74627->74628 74683 1e545c 5 API calls 2 library calls 74627->74683 74684 1b1029 6 API calls 74627->74684 74685 1b089e malloc _CxxThrowException free _CxxThrowException memcpy 74627->74685 74686 1e0516 malloc _CxxThrowException ctype 74627->74686 74687 1a1e40 free 74627->74687 74628->74627 74631 1b7fcf __EH_prolog 74630->74631 74632 1b8061 74631->74632 74633 1b805c 74631->74633 74634 1b8019 74631->74634 74638 1b7ff4 74631->74638 74632->74633 74636 1b8025 74632->74636 74716 1a9630 VariantClear 74633->74716 74637 1b801e 74634->74637 74634->74638 74649 1b800a 74636->74649 74715 1a95df VariantClear 74636->74715 74642 1b8042 74637->74642 74643 1b8022 74637->74643 74638->74649 74708 1a950d 74638->74708 74639 1b80b8 74641 1a965d VariantClear 74639->74641 74645 1b80c0 74641->74645 74714 1a9597 VariantClear 74642->74714 74643->74636 74646 1b8032 74643->74646 74645->74503 74645->74504 74713 1a9604 VariantClear 74646->74713 74717 1a9736 VariantClear 74649->74717 74652 1a9685 74651->74652 74654 1a9665 74651->74654 74655 1a1e40 free 74652->74655 74653 1a967e VariantClear 74653->74652 74654->74652 74654->74653 74655->74516 74656->74516 74657->74519 74658->74535 74659->74547 74660->74549 74662 1a30fd 74661->74662 74662->74662 74663 1a1e0c ctype 2 API calls 74662->74663 74666 1a311d 74662->74666 74664 1a3113 74663->74664 74724 1a1e40 free 74664->74724 74666->74556 74667->74556 74668->74558 74669->74564 74670->74566 74671->74570 74672->74574 74673->74576 74675->74563 74676->74573 74677->74582 74683->74627 74684->74627 74685->74627 74686->74627 74687->74627 74702->74529 74703->74531 74704->74536 74705->74540 74706->74544 74707->74516 74718 1a9767 74708->74718 74710 1a9518 SysAllocStringLen 74711 1a9539 _CxxThrowException 74710->74711 74712 1a954f 74710->74712 74711->74712 74712->74649 74713->74649 74714->74649 74715->74649 74716->74649 74717->74639 74719 1a9779 74718->74719 74720 1a9770 74718->74720 74723 1a9686 VariantClear 74719->74723 74720->74710 74722 1a9780 74722->74710 74723->74722 74724->74666 74725 1e0343 74730 1e035f 74725->74730 74727 1e0358 74731 1e0369 __EH_prolog 74730->74731 74747 1b139e 74731->74747 74736 1e0143 ctype free 74737 1e039a 74736->74737 74757 1a1e40 free 74737->74757 74739 1e03a2 74758 1a1e40 free 74739->74758 74741 1e03aa 74759 1e03d8 74741->74759 74746 1a1e40 free 74746->74727 74748 1b13ae 74747->74748 74749 1b13b3 74747->74749 74775 237ea0 SetEvent GetLastError 74748->74775 74751 1e01c4 74749->74751 74752 1e01ce __EH_prolog 74751->74752 74755 1e0203 74752->74755 74777 1a1e40 free 74752->74777 74754 1e020b 74754->74736 74776 1a1e40 free 74755->74776 74757->74739 74758->74741 74760 1e03e2 __EH_prolog 74759->74760 74761 1b139e ctype 2 API calls 74760->74761 74762 1e03fb 74761->74762 74778 237d50 74762->74778 74764 1e0403 74765 237d50 ctype 2 API calls 74764->74765 74766 1e040b 74765->74766 74767 237d50 ctype 2 API calls 74766->74767 74768 1e03b7 74767->74768 74769 1e004a 74768->74769 74770 1e0054 __EH_prolog 74769->74770 74784 1a1e40 free 74770->74784 74772 1e0067 74785 1a1e40 free 74772->74785 74774 1e006f 74774->74727 74774->74746 74775->74749 74776->74754 74777->74752 74779 237d7b 74778->74779 74780 237d59 CloseHandle 74778->74780 74779->74764 74781 237d75 74780->74781 74782 237d64 GetLastError 74780->74782 74781->74779 74782->74779 74783 237d6e 74782->74783 74783->74764 74784->74772 74785->74774 74786 1ab144 74787 1ab153 74786->74787 74789 1ab159 74786->74789 74790 1b11b4 74787->74790 74792 1b11c1 74790->74792 74791 1b11eb 74791->74789 74792->74791 74795 1eae7c 74792->74795 74800 1eaf27 74792->74800 74796 1eae86 74795->74796 74807 1b7190 74796->74807 74820 1b7140 74796->74820 74797 1eaebb 74797->74792 74803 1eaf36 74800->74803 74801 1eb010 74801->74792 74802 1eaeeb 107 API calls 74802->74803 74803->74801 74803->74802 74937 1abd0c 74803->74937 74942 1ead3a 74803->74942 74946 1eaebf 107 API calls 74803->74946 74808 1b719a __EH_prolog 74807->74808 74809 1b71b0 74808->74809 74812 1b71dd 74808->74812 74847 1b4d78 74809->74847 74824 1b6fc5 74812->74824 74813 1b72b4 74814 1b4d78 VariantClear 74813->74814 74815 1b72c0 74813->74815 74814->74815 74816 1b71b7 74815->74816 74817 1b7140 7 API calls 74815->74817 74816->74797 74817->74816 74818 1b72a3 SetFileSecurityW 74818->74813 74819 1b7236 74819->74813 74819->74816 74819->74818 74821 1b718d 74820->74821 74822 1b714b 74820->74822 74821->74797 74822->74821 74936 1b4dff 7 API calls 2 library calls 74822->74936 74825 1b6fcf __EH_prolog 74824->74825 74850 1b44a6 74825->74850 74829 1b7029 74833 1b706a 74829->74833 74872 1b4dff 7 API calls 2 library calls 74829->74872 74832 1b7051 74832->74833 74836 1b11b4 107 API calls 74832->74836 74853 1b68ac 74833->74853 74836->74833 74837 1b710b 74837->74819 74840 1b70e2 74845 1b709e 74840->74845 74892 1b6b5e 69 API calls 2 library calls 74840->74892 74843 1b70fd 74844 1b7103 74843->74844 74843->74845 74893 1a1e40 free 74844->74893 74894 1a1e40 free 74845->74894 74929 1c9262 74847->74929 74851 1a2e04 2 API calls 74850->74851 74852 1b44be 74851->74852 74852->74829 74852->74833 74871 1b6e71 12 API calls 2 library calls 74852->74871 74854 1b68b6 __EH_prolog 74853->74854 74866 1b6921 74854->74866 74870 1b68c5 74854->74870 74896 1a7d4b 74854->74896 74856 1b6962 74869 1b6998 74856->74869 74903 1a2dcd malloc _CxxThrowException 74856->74903 74858 1b69e1 74906 1abcf8 CloseHandle 74858->74906 74863 1b697a 74904 1b6b09 13 API calls __EH_prolog 74863->74904 74866->74856 74866->74869 74902 1b6a17 6 API calls 2 library calls 74866->74902 74867 1b698c 74905 1a1e40 free 74867->74905 74869->74858 74895 1a7c3b SetFileTime 74869->74895 74870->74845 74873 1a6096 74870->74873 74871->74829 74872->74832 74874 1a60a0 __EH_prolog 74873->74874 74875 1a6bf5 11 API calls 74874->74875 74876 1a60ad 74875->74876 74880 1a60c6 74876->74880 74911 1a5a8c 74876->74911 74878 1a60e9 74881 1a2e04 2 API calls 74878->74881 74890 1a60e5 74878->74890 74879 1a60de DeleteFileW 74879->74878 74879->74890 74880->74878 74880->74879 74880->74890 74882 1a60f5 74881->74882 74883 1a8b4a 9 API calls 74882->74883 74884 1a610a 74883->74884 74885 1a6111 DeleteFileW 74884->74885 74886 1a6125 74884->74886 74925 1a1e40 free 74885->74925 74926 1a1e40 free 74886->74926 74889 1a611d 74889->74890 74890->74840 74891 1b4dff 7 API calls 2 library calls 74890->74891 74891->74840 74892->74843 74893->74837 74894->74837 74895->74858 74907 1a77c8 74896->74907 74898 1a7d76 74898->74866 74901 1b4dff 7 API calls 2 library calls 74898->74901 74901->74866 74902->74856 74903->74863 74904->74867 74905->74869 74906->74870 74908 1a7731 5 API calls 74907->74908 74909 1a77db 74908->74909 74909->74898 74910 1a7d3c SetEndOfFile 74909->74910 74910->74898 74912 1a5a96 __EH_prolog 74911->74912 74913 1a5ab3 SetFileAttributesW 74912->74913 74914 1a5ac1 74912->74914 74913->74914 74923 1a5abd 74913->74923 74915 1a2e04 2 API calls 74914->74915 74914->74923 74916 1a5acd 74915->74916 74917 1a8b4a 9 API calls 74916->74917 74918 1a5ae2 74917->74918 74919 1a5b00 74918->74919 74920 1a5ae6 SetFileAttributesW 74918->74920 74928 1a1e40 free 74919->74928 74927 1a1e40 free 74920->74927 74923->74880 74924 1a5af8 74924->74923 74925->74889 74926->74890 74927->74924 74928->74923 74930 1c926c __EH_prolog 74929->74930 74931 1c92fc 74930->74931 74935 1c92a4 74930->74935 74933 1a965d VariantClear 74931->74933 74932 1a965d VariantClear 74934 1b4d91 74932->74934 74933->74934 74934->74816 74935->74932 74936->74821 74947 1a7ca2 74937->74947 74940 1abd3d 74940->74803 74943 1ead44 __EH_prolog 74942->74943 74955 1b6305 74943->74955 74944 1eadbf 74944->74803 74946->74803 74950 1a7caf 74947->74950 74949 1a7cdb 74949->74940 74951 1ab8ec GetLastError 74949->74951 74950->74949 74952 1a7c68 74950->74952 74951->74940 74953 1a7c79 WriteFile 74952->74953 74954 1a7c76 74952->74954 74953->74950 74954->74953 74956 1b630f __EH_prolog 74955->74956 74992 1b62b9 74956->74992 74959 1b6427 74961 1a965d VariantClear 74959->74961 74960 1b644a 74962 1a965d VariantClear 74960->74962 74984 1b6445 74961->74984 74963 1b646b 74962->74963 74996 1b5126 74963->74996 74968 1b4d78 VariantClear 74969 1b6499 74968->74969 74969->74984 74986 1b64ca 74969->74986 75152 1b5110 9 API calls 74969->75152 74971 1b65de 74972 1b669e 74971->74972 74973 1b65e7 74971->74973 74979 1b66b8 74972->74979 74980 1b6754 74972->74980 74972->74984 74975 1a1e0c ctype 2 API calls 74973->74975 74978 1b65f6 74973->74978 74974 1b64da 74974->74971 74974->74984 75154 1b789c free memmove ctype 74974->75154 74975->74978 75155 1c36ea 74978->75155 74983 1a1e0c ctype 2 API calls 74979->74983 75042 1b5bea 74980->75042 74982 1b666b 75168 1a1e40 free 74982->75168 74983->74984 74984->74944 74986->74974 74986->74984 75153 1a42e3 CharUpperW 74986->75153 74987 1b665c 75167 1a31e5 malloc _CxxThrowException free _CxxThrowException 74987->75167 74993 1b62c9 74992->74993 75169 1c8fa4 74993->75169 74997 1b5130 __EH_prolog 74996->74997 74998 1b51b4 74997->74998 75004 1b518e 74997->75004 75213 1a3097 malloc _CxxThrowException free SysStringLen ctype 74997->75213 75000 1a965d VariantClear 74998->75000 74998->75004 75002 1b51bc 75000->75002 75001 1a965d VariantClear 75003 1b527f 75001->75003 75002->75004 75005 1b5289 75002->75005 75006 1b5206 75002->75006 75003->74984 75038 1c8b05 75003->75038 75004->75001 75005->75004 75008 1b5221 75005->75008 75214 1a3097 malloc _CxxThrowException free SysStringLen ctype 75006->75214 75009 1a965d VariantClear 75008->75009 75010 1b522d 75009->75010 75010->75003 75012 1b5351 75010->75012 75215 1b5459 malloc _CxxThrowException __EH_prolog 75010->75215 75012->75003 75018 1b53a1 75012->75018 75220 1a35e7 memmove 75012->75220 75013 1b52ba 75216 1a8011 5 API calls ctype 75013->75216 75016 1b52cf 75029 1b52fd 75016->75029 75217 1a823d 10 API calls 2 library calls 75016->75217 75018->75003 75221 1a43b7 5 API calls 2 library calls 75018->75221 75021 1b52e5 75022 1a2fec 3 API calls 75021->75022 75024 1b52f5 75022->75024 75023 1b540e 75223 1b789c free memmove ctype 75023->75223 75218 1a1e40 free 75024->75218 75028 1b53df 75028->75023 75030 1b541c 75028->75030 75222 1a42e3 CharUpperW 75028->75222 75219 1b54a0 free ctype 75029->75219 75031 1c36ea 5 API calls 75030->75031 75032 1b5427 75031->75032 75033 1a2fec 3 API calls 75032->75033 75034 1b5433 75033->75034 75224 1a1e40 free 75034->75224 75036 1b543b 75225 1d2db9 free ctype 75036->75225 75039 1c8b2e 75038->75039 75040 1a965d VariantClear 75039->75040 75041 1b648a 75040->75041 75041->74968 75041->74984 75043 1b5bf4 __EH_prolog 75042->75043 75226 1b54c0 75043->75226 75046 1b5e17 75046->74984 75047 1c8b05 VariantClear 75048 1b5c34 75047->75048 75048->75046 75241 1b5630 75048->75241 75051 1c36ea 5 API calls 75052 1b5c51 75051->75052 75053 1b5c60 75052->75053 75339 1b57c1 53 API calls 2 library calls 75052->75339 75055 1a2f1c 2 API calls 75053->75055 75056 1b5c6c 75055->75056 75059 1b5caa 75056->75059 75340 1b6217 4 API calls 2 library calls 75056->75340 75058 1b5c91 75060 1a2fec 3 API calls 75058->75060 75062 1b5d49 75059->75062 75067 1a2e04 2 API calls 75059->75067 75061 1b5c9e 75060->75061 75063 1b5d91 75062->75063 75064 1b5d55 75062->75064 75073 1b5da6 75063->75073 75262 1b58be 75063->75262 75066 1a2fec 3 API calls 75064->75066 75070 1b5cd2 75067->75070 75342 1a1e40 free 75070->75342 75152->74986 75153->74986 75154->74971 75156 1c36f4 __EH_prolog 75155->75156 75157 1a2e04 2 API calls 75156->75157 75158 1c370a 75157->75158 75159 1c3736 75158->75159 75435 1a1089 malloc _CxxThrowException free _CxxThrowException 75158->75435 75436 1a31e5 malloc _CxxThrowException free _CxxThrowException 75158->75436 75160 1a2f1c 2 API calls 75159->75160 75162 1c3742 75160->75162 75434 1a1e40 free 75162->75434 75165 1b6633 75165->74982 75165->74987 75166 1a1089 malloc _CxxThrowException free _CxxThrowException 75165->75166 75166->74987 75167->74982 75168->74984 75170 1c8fae __EH_prolog 75169->75170 75171 1c7ebb free 75170->75171 75172 1c8ff2 75171->75172 75203 1c8b64 75172->75203 75175 1b6302 75175->74959 75175->74960 75175->74984 75177 1c9020 75177->75175 75178 1a2fec 3 API calls 75177->75178 75179 1c903a 75178->75179 75192 1c904d 75179->75192 75207 1c8b80 VariantClear 75179->75207 75181 1c9244 75212 1a43b7 5 API calls 2 library calls 75181->75212 75182 1c91b0 75210 1c8b9c 10 API calls 2 library calls 75182->75210 75183 1c9144 75186 1a2f88 3 API calls 75183->75186 75190 1c917b 75183->75190 75186->75190 75187 1c91c0 75187->75175 75195 1a2f88 3 API calls 75187->75195 75188 1c9100 75191 1a965d VariantClear 75188->75191 75189 1c90d6 75189->75188 75194 1c90e7 75189->75194 75209 1c8f2e 9 API calls 75189->75209 75190->75181 75190->75182 75191->75175 75192->75175 75192->75183 75192->75188 75192->75189 75208 1a3097 malloc _CxxThrowException free SysStringLen ctype 75192->75208 75197 1a965d VariantClear 75194->75197 75201 1c91ff 75195->75201 75197->75183 75198 1c9112 75198->75188 75199 1c8b64 VariantClear 75198->75199 75200 1c9123 75199->75200 75200->75188 75200->75194 75201->75175 75211 1a50ff free ctype 75201->75211 75204 1c8b05 VariantClear 75203->75204 75205 1c8b6f 75204->75205 75205->75175 75206 1c8f2e 9 API calls 75205->75206 75206->75177 75207->75192 75208->75189 75209->75198 75210->75187 75211->75175 75212->75175 75213->74998 75214->75008 75215->75013 75216->75016 75217->75021 75218->75029 75219->75012 75220->75012 75221->75028 75222->75028 75223->75030 75224->75036 75225->75003 75227 1b54ca __EH_prolog 75226->75227 75228 1a965d VariantClear 75227->75228 75231 1b5507 75227->75231 75232 1b5528 75228->75232 75229 1a965d VariantClear 75230 1b5567 75229->75230 75230->75046 75230->75047 75231->75229 75232->75231 75233 1b5572 75232->75233 75234 1a965d VariantClear 75233->75234 75235 1b558e 75234->75235 75376 1b4cac VariantClear __EH_prolog 75235->75376 75237 1b55a1 75237->75230 75377 1b4cac VariantClear __EH_prolog 75237->75377 75239 1b55b8 75239->75230 75378 1b4cac VariantClear __EH_prolog 75239->75378 75242 1b563a __EH_prolog 75241->75242 75244 1b5679 75242->75244 75379 1c3558 10 API calls 2 library calls 75242->75379 75245 1a2f1c 2 API calls 75244->75245 75261 1b571a 75244->75261 75246 1b5696 75245->75246 75380 1c3333 malloc _CxxThrowException free 75246->75380 75248 1b56a2 75249 1b56ad 75248->75249 75250 1b56c5 75248->75250 75381 1b7853 5 API calls 2 library calls 75249->75381 75253 1b56b4 75250->75253 75382 1a4adf wcscmp 75250->75382 75252 1b5707 75385 1a31e5 malloc _CxxThrowException free _CxxThrowException 75252->75385 75253->75252 75384 1a1089 malloc _CxxThrowException free _CxxThrowException 75253->75384 75257 1b56d2 75257->75253 75383 1b7853 5 API calls 2 library calls 75257->75383 75258 1b5712 75386 1a1e40 free 75258->75386 75261->75051 75339->75053 75340->75058 75376->75237 75377->75239 75378->75230 75379->75244 75380->75248 75381->75253 75382->75257 75383->75253 75384->75252 75385->75258 75386->75261 75434->75165 75435->75158 75436->75158 75437 1cd3c2 75438 1cd3e9 75437->75438 75439 1a965d VariantClear 75438->75439 75440 1cd42a 75439->75440 75441 1cd883 2 API calls 75440->75441 75442 1cd4b1 75441->75442 75528 1c8d4a 75442->75528 75445 1c8b05 VariantClear 75447 1cd4e3 75445->75447 75545 1c2a72 75447->75545 75449 1a2fec 3 API calls 75450 1cd594 75449->75450 75451 1cd5cd 75450->75451 75452 1cd742 75450->75452 75453 1cd7d9 75451->75453 75549 1c9317 75451->75549 75576 1ccd49 malloc _CxxThrowException free 75452->75576 75579 1a1e40 free 75453->75579 75456 1cd754 75459 1a2fec 3 API calls 75456->75459 75463 1cd763 75459->75463 75460 1cd7e1 75580 1a1e40 free 75460->75580 75462 1cd5f1 75465 1e04d2 5 API calls 75462->75465 75577 1a1e40 free 75463->75577 75464 1cd7e9 75467 1c326b free 75464->75467 75468 1cd5f9 75465->75468 75477 1cd69a 75467->75477 75555 1ce332 75468->75555 75469 1cd76b 75578 1a1e40 free 75469->75578 75472 1cd773 75474 1c326b free 75472->75474 75474->75477 75476 1cd610 75562 1a1e40 free 75476->75562 75479 1cd618 75563 1c326b 75479->75563 75481 1cd2a8 75481->75477 75503 1cd883 75481->75503 75504 1cd88d __EH_prolog 75503->75504 75505 1a2e04 2 API calls 75504->75505 75506 1cd8c6 75505->75506 75507 1a2e04 2 API calls 75506->75507 75508 1cd8d2 75507->75508 75509 1a2e04 2 API calls 75508->75509 75510 1cd8de 75509->75510 75581 1c2b63 75510->75581 75533 1c8d54 __EH_prolog 75528->75533 75529 1c8e09 75531 1a965d VariantClear 75529->75531 75530 1c8e15 75532 1c8e2d 75530->75532 75534 1c8e5e 75530->75534 75535 1c8e21 75530->75535 75539 1c8e11 75531->75539 75532->75534 75540 1c8e2b 75532->75540 75542 1c8da4 75533->75542 75589 1a2b55 malloc _CxxThrowException free _CxxThrowException ctype 75533->75589 75536 1a965d VariantClear 75534->75536 75590 1a3097 malloc _CxxThrowException free SysStringLen ctype 75535->75590 75536->75539 75539->75445 75541 1a965d VariantClear 75540->75541 75543 1c8e47 75541->75543 75542->75529 75542->75530 75542->75539 75543->75539 75591 1c8e7c 6 API calls __EH_prolog 75543->75591 75546 1c2a82 75545->75546 75547 1a2e04 2 API calls 75546->75547 75548 1c2a9f 75547->75548 75548->75449 75551 1c9321 __EH_prolog 75549->75551 75550 1a965d VariantClear 75552 1c93d0 75550->75552 75554 1c9360 75551->75554 75592 1a9686 VariantClear 75551->75592 75552->75453 75552->75462 75554->75550 75556 1ce33c __EH_prolog 75555->75556 75557 1a1e0c ctype 2 API calls 75556->75557 75558 1ce34a 75557->75558 75559 1cd608 75558->75559 75593 1ce3d1 malloc _CxxThrowException __EH_prolog 75558->75593 75561 1a1e40 free 75559->75561 75561->75476 75562->75479 75564 1c3275 __EH_prolog 75563->75564 75594 1c2c0b 75564->75594 75567 1c2c0b ctype free 75568 1c3296 75567->75568 75599 1a1e40 free 75568->75599 75570 1c329e 75600 1a1e40 free 75570->75600 75572 1c32a6 75601 1a1e40 free 75572->75601 75574 1c32ae 75574->75481 75576->75456 75577->75469 75578->75472 75579->75460 75580->75464 75589->75542 75590->75540 75591->75539 75592->75554 75593->75559 75602 1a1e40 free 75594->75602 75596 1c2c16 75603 1a1e40 free 75596->75603 75598 1c2c1e 75598->75567 75599->75570 75600->75572 75601->75574 75602->75596 75603->75598 75604 1d993d 75688 1db5b1 75604->75688 75607 1d9963 75694 1b1f33 75607->75694 75610 1d9975 75611 1d99ce 75610->75611 75612 1d99b7 GetStdHandle GetConsoleScreenBufferInfo 75610->75612 75613 1a1e0c ctype 2 API calls 75611->75613 75612->75611 75614 1d99dc 75613->75614 75815 1c7b48 75614->75815 75616 1d9a29 75844 1db96d _CxxThrowException 75616->75844 75618 1d9a30 75845 1c7018 8 API calls 2 library calls 75618->75845 75620 1d9a7c 75846 1cddb5 6 API calls 2 library calls 75620->75846 75622 1d9a66 _CxxThrowException 75622->75620 75623 1d9aa6 75624 1d9aaa _CxxThrowException 75623->75624 75628 1d9ac0 75623->75628 75624->75628 75625 1d9a37 75625->75620 75625->75622 75626 1d9b3a 75850 1a1fa0 fputc 75626->75850 75628->75626 75630 1d9bfa _CxxThrowException 75628->75630 75847 1c7dd7 7 API calls 2 library calls 75628->75847 75848 1dc077 6 API calls 75628->75848 75849 1a1e40 free 75628->75849 75687 1d9be6 75630->75687 75631 1d9b63 fputs 75851 1a1fa0 fputc 75631->75851 75634 1d9b79 strlen strlen 75635 1d9baa fputs fputc 75634->75635 75636 1d9e25 75634->75636 75635->75687 75859 1a1fa0 fputc 75636->75859 75639 1d9e2c fputs 75645 1db67d 12 API calls 75645->75687 75650 1a2e04 2 API calls 75650->75687 75661 1a31e5 malloc _CxxThrowException free _CxxThrowException 75661->75687 75666 1d9d2a fputs 75856 1a21d8 fputs 75666->75856 75670 1d9d5f fputs 75670->75687 75687->75635 75687->75636 75687->75645 75687->75650 75687->75661 75687->75666 75687->75670 75852 1a21d8 fputs 75687->75852 75853 1a315e malloc _CxxThrowException free _CxxThrowException 75687->75853 75854 1a3221 malloc _CxxThrowException free _CxxThrowException 75687->75854 75855 1a1089 malloc _CxxThrowException free _CxxThrowException 75687->75855 75857 1a1fa0 fputc 75687->75857 75858 1a1e40 free 75687->75858 75689 1db5bc fputs 75688->75689 75690 1d994a 75688->75690 75884 1a1fa0 fputc 75689->75884 75690->75607 75832 1a1fb3 75690->75832 75692 1db5d5 75692->75690 75693 1db5d9 fputs 75692->75693 75693->75690 75695 1b1f4f 75694->75695 75696 1b1f6c 75694->75696 75927 1c1d73 5 API calls __EH_prolog 75695->75927 75885 1b29eb 75696->75885 75699 1b1f5e _CxxThrowException 75699->75696 75700 1b1fa3 75703 1b1fbc 75700->75703 75705 1a4fc0 5 API calls 75700->75705 75706 1b1fda 75703->75706 75707 1a2fec 3 API calls 75703->75707 75704 1b1f95 _CxxThrowException 75704->75700 75705->75703 75708 1b2022 wcscmp 75706->75708 75716 1b2036 75706->75716 75707->75706 75709 1b20af 75708->75709 75708->75716 75929 1c1d73 5 API calls __EH_prolog 75709->75929 75711 1b20be _CxxThrowException 75711->75716 75712 1b20a9 75930 1b393c 6 API calls 2 library calls 75712->75930 75714 1b20f4 75931 1b393c 6 API calls 2 library calls 75714->75931 75716->75712 75721 1b219a 75716->75721 75717 1b2108 75718 1b2135 75717->75718 75932 1b2e04 62 API calls 2 library calls 75717->75932 75725 1b2159 75718->75725 75933 1b2e04 62 API calls 2 library calls 75718->75933 75934 1c1d73 5 API calls __EH_prolog 75721->75934 75723 1b21a9 _CxxThrowException 75723->75725 75724 1b227f 75890 1b2aa9 75724->75890 75725->75724 75726 1b2245 75725->75726 75935 1c1d73 5 API calls __EH_prolog 75725->75935 75729 1a2fec 3 API calls 75726->75729 75732 1b225c 75729->75732 75731 1b2237 _CxxThrowException 75731->75726 75732->75724 75936 1c1d73 5 API calls __EH_prolog 75732->75936 75733 1b22d9 75734 1b2302 75733->75734 75736 1a2fec 3 API calls 75733->75736 75908 1a4fc0 75734->75908 75735 1a2fec 3 API calls 75735->75733 75736->75734 75740 1b2271 _CxxThrowException 75740->75724 75742 1b2322 75743 1b26c6 75742->75743 75751 1b23a1 75742->75751 75744 1b28ce 75743->75744 75746 1b2700 75743->75746 75949 1c1d73 5 API calls __EH_prolog 75743->75949 75745 1b293a 75744->75745 75759 1b28d5 75744->75759 75749 1b293f 75745->75749 75750 1b29a5 75745->75750 75950 1b32ec 14 API calls 2 library calls 75746->75950 75967 1a4eec 16 API calls 75749->75967 75753 1b29ae _CxxThrowException 75750->75753 75807 1b264d 75750->75807 75757 1b247a wcscmp 75751->75757 75776 1b248e 75751->75776 75752 1b26f2 _CxxThrowException 75752->75746 75754 1b2713 75951 1b3a29 75754->75951 75756 1b294c 75968 1a4ea1 8 API calls 75756->75968 75762 1b24cf wcscmp 75757->75762 75757->75776 75759->75807 75966 1c1d73 5 API calls __EH_prolog 75759->75966 75766 1b24ef wcscmp 75762->75766 75762->75776 75763 1b2953 75768 1a4fc0 5 API calls 75763->75768 75767 1b250f 75766->75767 75766->75776 75940 1c1d73 5 API calls __EH_prolog 75767->75940 75768->75807 75769 1b2920 _CxxThrowException 75769->75807 75772 1b251e _CxxThrowException 75774 1b252c 75772->75774 75773 1b27cf 75777 1b2880 75773->75777 75782 1b281f 75773->75782 75962 1c1d73 5 API calls __EH_prolog 75773->75962 75778 1b2569 75774->75778 75941 1b2e04 62 API calls 2 library calls 75774->75941 75775 1a2fec 3 API calls 75779 1b27a9 75775->75779 75776->75774 75937 1a4eec 16 API calls 75776->75937 75938 1a4ea1 8 API calls 75776->75938 75939 1c1d73 5 API calls __EH_prolog 75776->75939 75780 1b289b 75777->75780 75787 1a2fec 3 API calls 75777->75787 75784 1b258c 75778->75784 75942 1b2e04 62 API calls 2 library calls 75778->75942 75779->75773 75961 1a3563 memmove 75779->75961 75780->75807 75965 1c1d73 5 API calls __EH_prolog 75780->75965 75782->75777 75789 1b2847 75782->75789 75963 1c1d73 5 API calls __EH_prolog 75782->75963 75791 1b25a4 75784->75791 75943 1b2a61 malloc _CxxThrowException free _CxxThrowException memcpy 75784->75943 75785 1b24c1 _CxxThrowException 75785->75762 75787->75780 75788 1b2811 _CxxThrowException 75788->75782 75789->75777 75964 1c1d73 5 API calls __EH_prolog 75789->75964 75944 1a4eec 16 API calls 75791->75944 75797 1b25ad 75945 1c1b07 49 API calls 75797->75945 75798 1b28c0 _CxxThrowException 75798->75744 75799 1b2839 _CxxThrowException 75799->75789 75802 1b2872 _CxxThrowException 75802->75777 75803 1b25b4 75946 1a4ea1 8 API calls 75803->75946 75805 1b25bb 75806 1a2fec 3 API calls 75805->75806 75809 1b25d6 75805->75809 75806->75809 75807->75610 75808 1b261f 75808->75807 75810 1a2fec 3 API calls 75808->75810 75809->75807 75809->75808 75947 1c1d73 5 API calls __EH_prolog 75809->75947 75812 1b263f 75810->75812 75948 1a859e malloc _CxxThrowException free _CxxThrowException 75812->75948 75813 1b2611 _CxxThrowException 75813->75808 75816 1c7b52 __EH_prolog 75815->75816 75987 1c7eec 75816->75987 75818 1c7ca4 75818->75616 75820 1a2e04 malloc _CxxThrowException 75827 1c7b63 75820->75827 75821 1a30ea malloc _CxxThrowException free 75821->75827 75823 1a1e40 free ctype 75823->75827 75825 1b12a5 5 API calls 75825->75827 75826 1e04d2 5 API calls 75826->75827 75827->75818 75827->75820 75827->75821 75827->75823 75827->75825 75827->75826 75829 1a429a 3 API calls 75827->75829 75830 1c7193 free 75827->75830 75831 1c7c61 memcpy 75827->75831 75992 1c70ea 75827->75992 75995 1c7a40 75827->75995 76013 1c7cc3 6 API calls 75827->76013 76014 1c74eb malloc _CxxThrowException memcpy __EH_prolog ctype 75827->76014 75829->75827 75830->75827 75831->75827 75833 1a1fbd __EH_prolog 75832->75833 76021 1a26dd 75833->76021 75836 1a2e47 2 API calls 75837 1a1fda 75836->75837 76024 1a2010 75837->76024 75839 1a1fed 76027 1a1e40 free 75839->76027 75841 1a1ff5 76028 1a1e40 free 75841->76028 75843 1a1ffd 75843->75607 75844->75618 75845->75625 75846->75623 75847->75628 75848->75628 75849->75628 75850->75631 75851->75634 75852->75687 75853->75687 75854->75687 75855->75687 75856->75687 75857->75687 75858->75687 75859->75639 75884->75692 75886 1a2f1c 2 API calls 75885->75886 75887 1b29fe 75886->75887 75969 1a1e40 free 75887->75969 75889 1b1f7e 75889->75700 75928 1c1d73 5 API calls __EH_prolog 75889->75928 75891 1b2ab3 __EH_prolog 75890->75891 75902 1b2b0f 75891->75902 75970 1a2e8a 75891->75970 75894 1b22ad 75894->75733 75894->75735 75896 1b2bc6 75980 1c1d73 5 API calls __EH_prolog 75896->75980 75897 1b2b04 75975 1a1e40 free 75897->75975 75900 1b2bd6 _CxxThrowException 75900->75894 75902->75894 75902->75896 75905 1b2b9f 75902->75905 75976 1b2cb4 48 API calls 2 library calls 75902->75976 75977 1b2bf5 8 API calls __EH_prolog 75902->75977 75978 1b2a61 malloc _CxxThrowException free _CxxThrowException memcpy 75902->75978 75905->75894 75979 1c1d73 5 API calls __EH_prolog 75905->75979 75907 1b2bb8 _CxxThrowException 75907->75896 75909 1a4fd2 75908->75909 75914 1a4fce 75908->75914 75910 1c7ebb free 75909->75910 75911 1a4fd9 75910->75911 75912 1a4fe9 _CxxThrowException 75911->75912 75913 1a4ffe 75911->75913 75917 1a5006 75911->75917 75912->75913 75981 1e0551 malloc _CxxThrowException free memcpy ctype 75913->75981 75918 1b384c 75914->75918 75917->75914 75982 1a1524 malloc _CxxThrowException __EH_prolog ctype 75917->75982 75924 1b3856 __EH_prolog 75918->75924 75919 1a2e04 malloc _CxxThrowException 75919->75924 75920 1a2fec 3 API calls 75920->75924 75921 1a2f88 3 API calls 75921->75924 75922 1e04d2 5 API calls 75922->75924 75924->75919 75924->75920 75924->75921 75924->75922 75925 1a1e40 free ctype 75924->75925 75926 1b3917 75924->75926 75983 1b3b76 malloc _CxxThrowException __EH_prolog ctype 75924->75983 75925->75924 75926->75742 75927->75699 75928->75704 75929->75711 75930->75714 75931->75717 75932->75718 75933->75725 75934->75723 75935->75731 75936->75740 75937->75776 75938->75776 75939->75785 75940->75772 75941->75778 75942->75784 75943->75791 75944->75797 75945->75803 75946->75805 75947->75813 75948->75807 75949->75752 75950->75754 75952 1b3a3b 75951->75952 75957 1b2722 75951->75957 75984 1b3bd9 free ctype 75952->75984 75954 1b3a42 75955 1b3a52 _CxxThrowException 75954->75955 75956 1b3a67 75954->75956 75958 1b3a6f 75954->75958 75955->75956 75985 1e0551 malloc _CxxThrowException free memcpy ctype 75956->75985 75957->75773 75957->75775 75958->75957 75986 1b3b76 malloc _CxxThrowException __EH_prolog ctype 75958->75986 75961->75773 75962->75788 75963->75799 75964->75802 75965->75798 75966->75769 75967->75756 75968->75763 75969->75889 75971 1a2ea0 75970->75971 75972 1a2ba6 2 API calls 75971->75972 75973 1a2eaf 75972->75973 75974 1b2a61 malloc _CxxThrowException free _CxxThrowException memcpy 75973->75974 75974->75897 75975->75902 75976->75902 75977->75902 75978->75902 75979->75907 75980->75900 75981->75917 75982->75917 75983->75924 75984->75954 75985->75958 75986->75958 75988 1c7f14 75987->75988 75989 1c7ef7 75987->75989 75988->75827 75989->75988 75990 1c7193 free 75989->75990 76015 1a1e40 free 75989->76015 75990->75989 75993 1a2e04 2 API calls 75992->75993 75994 1c7103 75993->75994 75994->75827 75996 1c7a4a __EH_prolog 75995->75996 76016 1a361b 6 API calls 2 library calls 75996->76016 75998 1c7a78 76017 1a361b 6 API calls 2 library calls 75998->76017 76000 1c7b20 76019 1d2db9 free ctype 76000->76019 76002 1a2e04 malloc _CxxThrowException 76004 1c7a83 76002->76004 76003 1c7b2b 76020 1d2db9 free ctype 76003->76020 76004->76000 76004->76002 76007 1a2fec 3 API calls 76004->76007 76008 1a2fec 3 API calls 76004->76008 76009 1e04d2 5 API calls 76004->76009 76012 1a1e40 free ctype 76004->76012 76018 1c7955 malloc _CxxThrowException __EH_prolog ctype 76004->76018 76006 1c7b37 76006->75827 76007->76004 76010 1c7aca wcscmp 76008->76010 76009->76004 76010->76004 76012->76004 76013->75827 76014->75827 76015->75989 76016->75998 76017->76004 76018->76004 76019->76003 76020->76006 76022 1a1e0c ctype 2 API calls 76021->76022 76023 1a1fcb 76022->76023 76023->75836 76029 1a2033 76024->76029 76027->75841 76028->75843 76030 1a203b 76029->76030 76031 1a2054 76030->76031 76032 1a2045 76030->76032 76037 1a37ff 9 API calls 76031->76037 76036 1a421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 76032->76036 76035 1a2022 fputs 76035->75839 76036->76035 76037->76035 76040 226bc6 76041 226bca 76040->76041 76042 226bcd 76040->76042 76042->76041 76043 226bd1 malloc 76042->76043 76043->76041 76044 1ccefb 76045 1ccf03 76044->76045 76074 1cd0cc 76044->76074 76045->76074 76091 1ccae9 VariantClear 76045->76091 76047 1ccf59 76047->76074 76092 1ccae9 VariantClear 76047->76092 76049 1ccf71 76049->76074 76093 1ccae9 VariantClear 76049->76093 76051 1ccf87 76051->76074 76094 1ccae9 VariantClear 76051->76094 76053 1ccf9d 76053->76074 76095 1ccae9 VariantClear 76053->76095 76055 1ccfb3 76055->76074 76096 1ccae9 VariantClear 76055->76096 76057 1ccfc9 76057->76074 76097 1a4504 malloc _CxxThrowException 76057->76097 76059 1ccfdc 76060 1a2e04 2 API calls 76059->76060 76062 1ccfe7 76060->76062 76061 1cd009 76064 1cd07b 76061->76064 76066 1cd080 76061->76066 76067 1cd030 76061->76067 76062->76061 76063 1a2f88 3 API calls 76062->76063 76063->76061 76105 1a1e40 free 76064->76105 76102 1c7a0c CharUpperW 76066->76102 76070 1a2e04 2 API calls 76067->76070 76068 1cd0c4 76106 1a1e40 free 76068->76106 76073 1cd038 76070->76073 76072 1cd08b 76103 1bfdbc 4 API calls 2 library calls 76072->76103 76075 1a2e04 2 API calls 76073->76075 76077 1cd046 76075->76077 76098 1bfdbc 4 API calls 2 library calls 76077->76098 76078 1cd0a7 76080 1a2fec 3 API calls 76078->76080 76082 1cd0b3 76080->76082 76081 1cd057 76083 1a2fec 3 API calls 76081->76083 76104 1a1e40 free 76082->76104 76085 1cd063 76083->76085 76099 1a1e40 free 76085->76099 76087 1cd06b 76100 1a1e40 free 76087->76100 76089 1cd073 76101 1a1e40 free 76089->76101 76091->76047 76092->76049 76093->76051 76094->76053 76095->76055 76096->76057 76097->76059 76098->76081 76099->76087 76100->76089 76101->76064 76102->76072 76103->76078 76104->76064 76105->76068 76106->76074 76107 1ac3bd 76108 1ac3db 76107->76108 76109 1ac3ca 76107->76109 76109->76108 76111 1a1e40 free 76109->76111 76111->76108 76112 1d5475 76113 1a2fec 3 API calls 76112->76113 76114 1d54b4 76113->76114 76117 1dc911 76114->76117 76116 1d54bb 76118 1dc92f 76117->76118 76119 1dc926 GetTickCount 76117->76119 76133 1dc96d 76118->76133 76149 1dcb64 76118->76149 76181 1a2ab1 strcmp 76118->76181 76119->76118 76123 1dc95b 76123->76133 76182 1a3542 wcscmp 76123->76182 76124 1a27bb 3 API calls 76131 1dc9e2 76124->76131 76126 1dc9ce 76126->76124 76126->76149 76128 1dca0a 76129 1dca21 76128->76129 76132 1a286d 5 API calls 76128->76132 76130 1dcb10 76129->76130 76138 1a286d 5 API calls 76129->76138 76170 1dcb74 76130->76170 76131->76128 76184 1a286d 76131->76184 76135 1dca16 76132->76135 76133->76149 76162 1dc86a 76133->76162 76191 1a28fa malloc _CxxThrowException free memcpy _CxxThrowException 76135->76191 76142 1dca40 76138->76142 76141 1dcb59 76196 1dcb92 malloc _CxxThrowException free 76141->76196 76145 1a2fec 3 API calls 76142->76145 76148 1dca4e 76145->76148 76154 1a2033 10 API calls 76148->76154 76149->76116 76150 1dcb49 76195 1a1f91 fflush 76150->76195 76151 1dcb50 76153 1a27bb 3 API calls 76151->76153 76153->76141 76161 1dca6a 76154->76161 76155 1dcaf5 76194 1a28fa malloc _CxxThrowException free memcpy _CxxThrowException 76155->76194 76157 1a2fec 3 API calls 76157->76161 76160 1a2033 10 API calls 76160->76161 76161->76155 76161->76157 76161->76160 76192 1a3599 memmove 76161->76192 76193 1a3402 malloc _CxxThrowException free memmove _CxxThrowException 76161->76193 76164 1dc88c __aulldiv 76162->76164 76163 1dc8d3 strlen 76165 1dc8f1 76163->76165 76166 1dc900 76163->76166 76164->76163 76165->76166 76168 1a286d 5 API calls 76165->76168 76167 1a28a1 5 API calls 76166->76167 76169 1dc90c 76167->76169 76168->76165 76169->76126 76183 1a2ab1 strcmp 76169->76183 76171 1dcb7c strcmp 76170->76171 76172 1dcb1c 76170->76172 76171->76172 76172->76141 76173 1dc7d7 76172->76173 76174 1dc849 76173->76174 76175 1dc7ea 76173->76175 76176 1dc85a fputs 76174->76176 76198 1a1f91 fflush 76174->76198 76177 1dc7fe fputs 76175->76177 76197 1a25cb malloc _CxxThrowException free _CxxThrowException ctype 76175->76197 76176->76150 76176->76151 76177->76174 76181->76123 76182->76133 76183->76126 76199 1a1e9d 76184->76199 76187 1a28a1 76188 1a28b0 76187->76188 76188->76188 76204 1a267f 76188->76204 76190 1a28bf 76190->76128 76191->76129 76192->76161 76193->76161 76194->76130 76195->76151 76196->76149 76197->76177 76198->76176 76200 1a1ea8 76199->76200 76201 1a1ead 76199->76201 76203 1a263c malloc _CxxThrowException free memcpy _CxxThrowException 76200->76203 76201->76187 76203->76201 76205 1a26c2 76204->76205 76207 1a2693 76204->76207 76205->76190 76206 1a26c8 _CxxThrowException 76209 1a26dd 76206->76209 76207->76206 76208 1a26bc 76207->76208 76213 1a2595 malloc _CxxThrowException free memcpy ctype 76208->76213 76211 1a1e0c ctype 2 API calls 76209->76211 76212 1a26ea 76211->76212 76212->76190 76213->76205 76214 1dadb7 76215 1dadc1 __EH_prolog 76214->76215 76216 1a26dd 2 API calls 76215->76216 76217 1dae1d 76216->76217 76218 1a2e04 2 API calls 76217->76218 76219 1dae38 76218->76219 76220 1a2e04 2 API calls 76219->76220 76221 1dae44 76220->76221 76222 1a2e04 2 API calls 76221->76222 76223 1dae68 76222->76223 76230 1dad29 76223->76230 76227 1dae94 76228 1a2e04 2 API calls 76227->76228 76229 1daeb2 76228->76229 76231 1dad33 __EH_prolog 76230->76231 76232 1a2e04 2 API calls 76231->76232 76233 1dad5f 76232->76233 76234 1a2e04 2 API calls 76233->76234 76235 1dad72 76234->76235 76236 1daf2d 76235->76236 76237 1daf37 __EH_prolog 76236->76237 76248 1b34f4 malloc _CxxThrowException __EH_prolog 76237->76248 76239 1dafac 76240 1a2e04 2 API calls 76239->76240 76241 1dafbb 76240->76241 76242 1a2e04 2 API calls 76241->76242 76243 1dafca 76242->76243 76244 1a2e04 2 API calls 76243->76244 76245 1dafd9 76244->76245 76246 1a2e04 2 API calls 76245->76246 76247 1dafe8 76246->76247 76247->76227 76248->76239 76249 1e8eb1 76254 1e8ed1 76249->76254 76252 1e8ec9 76255 1e8edb __EH_prolog 76254->76255 76263 1e9267 76255->76263 76259 1e8efd 76268 1de5f1 free ctype 76259->76268 76261 1e8eb9 76261->76252 76262 1a1e40 free 76261->76262 76262->76252 76264 1e9271 __EH_prolog 76263->76264 76269 1a1e40 free 76264->76269 76266 1e8ef1 76267 1e922b free CloseHandle GetLastError ctype 76266->76267 76267->76259 76268->76261 76269->76266 76270 1da42c 76271 1da449 76270->76271 76272 1da435 fputs 76270->76272 76429 1d545d 76271->76429 76428 1a1fa0 fputc 76272->76428 76276 1a2e04 2 API calls 76277 1da4a1 76276->76277 76433 1c1858 76277->76433 76279 1da4c9 76495 1a1e40 free 76279->76495 76281 1da4d8 76282 1da4ee 76281->76282 76283 1dc7d7 ctype 6 API calls 76281->76283 76284 1da50e 76282->76284 76496 1d57fb 76282->76496 76283->76282 76506 1dc73e 76284->76506 76288 1daae5 76661 1d2db9 free ctype 76288->76661 76290 1dac17 76662 1d2db9 free ctype 76290->76662 76291 1a1e0c ctype 2 API calls 76293 1da53a 76291->76293 76295 1da54d 76293->76295 76632 1db0fa malloc _CxxThrowException __EH_prolog 76293->76632 76294 1dac23 76297 1dac3a 76294->76297 76298 1dac35 76294->76298 76302 1a2fec 3 API calls 76295->76302 76664 1db96d _CxxThrowException 76297->76664 76663 1db988 33 API calls __aulldiv 76298->76663 76301 1dac42 76665 1a1e40 free 76301->76665 76307 1da586 76302->76307 76304 1dac4d 76524 1dad06 76307->76524 76428->76271 76430 1d5466 76429->76430 76431 1d5473 76429->76431 76670 1a275e malloc _CxxThrowException free ctype 76430->76670 76431->76276 76434 1c1862 __EH_prolog 76433->76434 76671 1c021a 76434->76671 76439 1c18b9 76685 1c1aa5 free __EH_prolog ctype 76439->76685 76441 1c1935 76690 1c1aa5 free __EH_prolog ctype 76441->76690 76442 1c18c7 76686 1d2db9 free ctype 76442->76686 76446 1c1944 76467 1c1966 76446->76467 76691 1c1d73 5 API calls __EH_prolog 76446->76691 76447 1c18d3 76447->76279 76448 1e04d2 5 API calls 76454 1c18db 76448->76454 76450 1c1958 _CxxThrowException 76450->76467 76451 1c19be 76694 1cf1f1 malloc _CxxThrowException free _CxxThrowException 76451->76694 76453 1a2e04 2 API calls 76453->76467 76454->76441 76454->76448 76687 1c0144 malloc _CxxThrowException free _CxxThrowException 76454->76687 76688 1a1524 malloc _CxxThrowException __EH_prolog ctype 76454->76688 76689 1a1e40 free 76454->76689 76456 1c19d6 76458 1c7ebb free 76456->76458 76460 1c19e1 76458->76460 76459 1a631f 9 API calls 76459->76467 76461 1b12d4 4 API calls 76460->76461 76463 1c19ea 76461->76463 76462 1e04d2 5 API calls 76462->76467 76464 1c7ebb free 76463->76464 76466 1c19f7 76464->76466 76468 1b12d4 4 API calls 76466->76468 76467->76451 76467->76453 76467->76459 76467->76462 76692 1a1524 malloc _CxxThrowException __EH_prolog ctype 76467->76692 76693 1a1e40 free 76467->76693 76477 1c19ff 76468->76477 76470 1c1a4f 76696 1a1e40 free 76470->76696 76472 1a1524 malloc _CxxThrowException 76472->76477 76473 1c1a57 76697 1d2db9 free ctype 76473->76697 76475 1c1a64 76698 1d2db9 free ctype 76475->76698 76477->76470 76477->76472 76479 1c1a83 76477->76479 76695 1a42e3 CharUpperW 76477->76695 76699 1c1d73 5 API calls __EH_prolog 76479->76699 76481 1c1a97 _CxxThrowException 76482 1c1aa5 __EH_prolog 76481->76482 76700 1a1e40 free 76482->76700 76484 1c1ac8 76701 1c02e8 free ctype 76484->76701 76486 1c1ad1 76702 1c1eab free __EH_prolog ctype 76486->76702 76488 1c1add 76703 1a1e40 free 76488->76703 76490 1c1ae5 76704 1a1e40 free 76490->76704 76492 1c1aed 76705 1d2db9 free ctype 76492->76705 76494 1c1afa 76494->76279 76495->76281 76497 1d5805 __EH_prolog 76496->76497 76498 1d5847 76497->76498 76499 1a26dd 2 API calls 76497->76499 76498->76284 76500 1d5819 76499->76500 76833 1d5678 76500->76833 76504 1d583f 76850 1a1e40 free 76504->76850 76507 1dc748 __EH_prolog 76506->76507 76508 1dc7d7 ctype 6 API calls 76507->76508 76509 1dc75d 76508->76509 76867 1a1e40 free 76509->76867 76511 1dc768 76512 1c2c0b ctype free 76511->76512 76513 1dc775 76512->76513 76868 1a1e40 free 76513->76868 76515 1dc77d 76869 1a1e40 free 76515->76869 76517 1dc785 76870 1a1e40 free 76517->76870 76519 1dc78d 76871 1a1e40 free 76519->76871 76521 1dc795 76522 1c2c0b ctype free 76521->76522 76523 1da51d 76522->76523 76523->76288 76523->76291 76525 1dad29 2 API calls 76524->76525 76526 1da5d8 76525->76526 76527 1dbf3e 76526->76527 76528 1a2fec 3 API calls 76527->76528 76632->76295 76661->76290 76662->76294 76663->76297 76664->76301 76665->76304 76670->76431 76672 1c0224 __EH_prolog 76671->76672 76706 1b3d66 76672->76706 76675 1c062e 76684 1c0638 __EH_prolog 76675->76684 76676 1c06de 76793 1c019a malloc _CxxThrowException free memcpy 76676->76793 76678 1c06e6 76794 1c1453 26 API calls 2 library calls 76678->76794 76679 1c01bc malloc _CxxThrowException free _CxxThrowException memcpy 76679->76684 76681 1c06ee 76681->76439 76681->76454 76684->76676 76684->76679 76684->76681 76722 1c0703 76684->76722 76792 1d2db9 free ctype 76684->76792 76685->76442 76686->76447 76687->76454 76688->76454 76689->76454 76690->76446 76691->76450 76692->76467 76693->76467 76694->76456 76695->76477 76696->76473 76697->76475 76698->76447 76699->76481 76700->76484 76701->76486 76702->76488 76703->76490 76704->76492 76705->76494 76717 23fb10 76706->76717 76708 1b3d70 GetCurrentProcess 76718 1b3e04 76708->76718 76710 1b3d8d OpenProcessToken 76711 1b3d9e LookupPrivilegeValueW 76710->76711 76712 1b3de3 76710->76712 76711->76712 76713 1b3dc0 AdjustTokenPrivileges 76711->76713 76714 1b3e04 CloseHandle 76712->76714 76713->76712 76715 1b3dd5 GetLastError 76713->76715 76716 1b3def 76714->76716 76715->76712 76716->76675 76717->76708 76719 1b3e0d 76718->76719 76720 1b3e11 CloseHandle 76718->76720 76719->76710 76721 1b3e21 76720->76721 76721->76710 76769 1c070d __EH_prolog 76722->76769 76723 1c0b40 76723->76684 76724 1c0e1d 76830 1c0416 18 API calls 2 library calls 76724->76830 76726 1c0ea6 76832 1eec78 free ctype 76726->76832 76727 1c0d11 76824 1a7496 7 API calls 2 library calls 76727->76824 76728 1a2da9 2 API calls 76728->76769 76731 1c0c13 76821 1a1e40 free 76731->76821 76732 1c0c83 76732->76724 76732->76727 76735 1a2da9 2 API calls 76776 1c0ab5 76735->76776 76736 1c0e47 76736->76726 76831 1c117d 68 API calls 2 library calls 76736->76831 76737 1c0de0 76826 1d2db9 free ctype 76737->76826 76738 1a2f1c 2 API calls 76767 1c0d29 76738->76767 76740 1a2e04 2 API calls 76740->76769 76742 1c0df8 76828 1a1e40 free 76742->76828 76743 1a2e04 2 API calls 76743->76776 76746 1c0e02 76829 1d2db9 free ctype 76746->76829 76748 1a2e04 2 API calls 76748->76767 76750 1a2fec 3 API calls 76750->76769 76754 1a2fec 3 API calls 76754->76767 76755 1a2fec 3 API calls 76755->76776 76759 1c050b 44 API calls 76759->76776 76761 1c0df3 76827 1a1e40 free 76761->76827 76764 1a1e40 free ctype 76764->76767 76765 1e04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76765->76769 76766 1a1e40 free ctype 76766->76769 76767->76737 76767->76738 76767->76742 76767->76748 76767->76754 76767->76761 76767->76764 76825 1c117d 68 API calls 2 library calls 76767->76825 76769->76723 76769->76728 76769->76732 76769->76740 76769->76750 76769->76765 76769->76766 76773 1a1524 malloc _CxxThrowException 76769->76773 76769->76776 76787 1c0b48 76769->76787 76789 1c0b26 76769->76789 76791 1d2db9 free ctype 76769->76791 76795 1a2f4a malloc _CxxThrowException free ctype 76769->76795 76796 1a1089 malloc _CxxThrowException free _CxxThrowException 76769->76796 76797 1c13eb 5 API calls 2 library calls 76769->76797 76798 1c050b 76769->76798 76803 1c0021 GetLastError 76769->76803 76804 1a49bd 9 API calls 2 library calls 76769->76804 76805 1c0306 12 API calls 76769->76805 76806 1bff00 5 API calls 2 library calls 76769->76806 76807 1c057d 16 API calls 2 library calls 76769->76807 76808 1c0f8e 24 API calls 2 library calls 76769->76808 76809 1a472e CharUpperW 76769->76809 76810 1b8984 malloc _CxxThrowException free _CxxThrowException memcpy 76769->76810 76811 1c0ef4 68 API calls 2 library calls 76769->76811 76770 1c0c79 76823 1a1e40 free 76770->76823 76771 1c0b30 76814 1a1e40 free 76771->76814 76773->76769 76776->76731 76776->76735 76776->76743 76776->76755 76776->76759 76776->76770 76780 1a1e40 free ctype 76776->76780 76812 1a2f4a malloc _CxxThrowException free ctype 76776->76812 76817 1a1089 malloc _CxxThrowException free _CxxThrowException 76776->76817 76818 1c13eb 5 API calls 2 library calls 76776->76818 76819 1c0ef4 68 API calls 2 library calls 76776->76819 76820 1d2db9 free ctype 76776->76820 76822 1c0021 GetLastError 76776->76822 76777 1c0b38 76815 1a1e40 free 76777->76815 76780->76776 76816 1d2db9 free ctype 76787->76816 76813 1a1e40 free 76789->76813 76791->76769 76792->76684 76793->76678 76794->76681 76795->76769 76796->76769 76797->76769 76799 1a6c72 44 API calls 76798->76799 76800 1c051e 76799->76800 76801 1c0575 76800->76801 76802 1a2f88 3 API calls 76800->76802 76801->76769 76802->76801 76803->76769 76804->76769 76805->76769 76806->76769 76807->76769 76808->76769 76809->76769 76810->76769 76811->76769 76812->76776 76813->76771 76814->76777 76815->76723 76816->76789 76817->76776 76818->76776 76819->76776 76820->76776 76821->76723 76822->76776 76823->76732 76824->76767 76825->76767 76826->76723 76827->76742 76828->76746 76829->76723 76830->76736 76831->76736 76832->76723 76834 1d5689 76833->76834 76835 1d56b1 76833->76835 76837 1d5593 6 API calls 76834->76837 76851 1d5593 76835->76851 76839 1d56a5 76837->76839 76841 1a28a1 5 API calls 76839->76841 76841->76835 76843 1d570e fputs 76849 1a1fa0 fputc 76843->76849 76845 1d56ef 76846 1d5593 6 API calls 76845->76846 76847 1d5701 76846->76847 76848 1d5711 6 API calls 76847->76848 76848->76843 76849->76504 76850->76498 76852 1d55ad 76851->76852 76853 1a28a1 5 API calls 76852->76853 76854 1d55b8 76853->76854 76855 1a286d 5 API calls 76854->76855 76856 1d55bf 76855->76856 76857 1a28a1 5 API calls 76856->76857 76858 1d55c7 76857->76858 76859 1d5711 76858->76859 76860 1d56e0 76859->76860 76861 1d5721 76859->76861 76860->76843 76865 1a2881 malloc _CxxThrowException free memcpy _CxxThrowException 76860->76865 76862 1a28a1 5 API calls 76861->76862 76863 1d572b 76862->76863 76866 1d55cd 6 API calls 76863->76866 76865->76845 76866->76860 76867->76511 76868->76515 76869->76517 76870->76519 76871->76521 77485 21f190 77486 1a1e0c ctype 2 API calls 77485->77486 77487 21f1b0 77486->77487 77489 2269d0 77490 2269d7 malloc 77489->77490 77491 2269d4 77489->77491 77492 1b1368 77494 1b136d 77492->77494 77495 1b138c 77494->77495 77498 237d80 WaitForSingleObject 77494->77498 77501 1df745 77494->77501 77505 237ea0 SetEvent GetLastError 77494->77505 77499 237d98 77498->77499 77500 237d8e GetLastError 77498->77500 77499->77494 77500->77499 77502 1df74f __EH_prolog 77501->77502 77506 1df784 77502->77506 77504 1df765 77504->77494 77505->77494 77507 1df78e __EH_prolog 77506->77507 77508 1b12d4 4 API calls 77507->77508 77509 1df7c7 77508->77509 77510 1b12d4 4 API calls 77509->77510 77511 1df7d4 77510->77511 77512 1df871 77511->77512 77515 226b23 VirtualAlloc 77511->77515 77516 1ac4d6 77511->77516 77512->77504 77515->77512 77520 1ac4e9 77516->77520 77517 1ac6f3 77517->77512 77518 1b111c 10 API calls 77518->77520 77519 1b11b4 107 API calls 77519->77520 77520->77517 77520->77518 77520->77519 77521 1ac695 memmove 77520->77521 77521->77520 77522 1ebf67 77523 1ebf74 77522->77523 77524 1ebf85 77522->77524 77523->77524 77528 1ebf8c 77523->77528 77529 1ebf96 __EH_prolog 77528->77529 77545 1ed144 77529->77545 77533 1ebfd0 77552 1a1e40 free 77533->77552 77535 1ebfdb 77553 1a1e40 free 77535->77553 77537 1ebfe6 77554 1ec072 free ctype 77537->77554 77539 1ebff4 77555 1baafa free VariantClear ctype 77539->77555 77541 1ec023 77556 1c73d2 free VariantClear __EH_prolog ctype 77541->77556 77543 1ebf7f 77544 1a1e40 free 77543->77544 77544->77524 77546 1ed14e __EH_prolog 77545->77546 77547 1ed1b7 free 77546->77547 77548 1ed180 77547->77548 77557 1e8e04 memset 77548->77557 77550 1ebfc5 77551 1a1e40 free 77550->77551 77551->77533 77552->77535 77553->77537 77554->77539 77555->77541 77556->77543 77557->77550 77558 1a7b20 77561 1a7ab2 77558->77561 77562 1a7ac5 77561->77562 77563 1a759a 12 API calls 77562->77563 77564 1a7ade 77563->77564 77565 1a7b03 77564->77565 77566 1a7aeb SetFileTime 77564->77566 77569 1a7919 77565->77569 77566->77565 77570 1a7aac 77569->77570 77571 1a793c 77569->77571 77571->77570 77572 1a7945 DeviceIoControl 77571->77572 77573 1a7969 77572->77573 77574 1a79e6 77572->77574 77573->77574 77580 1a79a7 77573->77580 77575 1a79ef DeviceIoControl 77574->77575 77576 1a7a14 77574->77576 77575->77576 77577 1a7a22 DeviceIoControl 77575->77577 77576->77570 77586 1a780d 8 API calls ctype 77576->77586 77577->77576 77578 1a7a44 DeviceIoControl 77577->77578 77578->77576 77585 1a9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 77580->77585 77581 1a7aa5 77583 1a77de 5 API calls 77581->77583 77583->77570 77584 1a79d0 77584->77574 77585->77584 77586->77581 77587 1dc2e6 77588 1dc52f 77587->77588 77591 1d544f SetConsoleCtrlHandler 77588->77591 77590 1dc53b 77591->77590

                            Executed Functions

                            Function 001E81EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001E81F1
                              • Part of subcall function 001EF749: _CxxThrowException.MSVCRT(?,00254A58), ref: 001EF792
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionH_prologThrow
                            • String ID:
                            • API String ID: 461045715-3916222277
                            • Opcode ID: 05e47c54bf07b936bb62b9892cb3dca8f6583cbf585d60eaa5f26ec15b8649c4
                            • Instruction ID: 1a2334184042c291cc9150893a728ebf87785146e2167ed3be087d587562c935
                            • Opcode Fuzzy Hash: 05e47c54bf07b936bb62b9892cb3dca8f6583cbf585d60eaa5f26ec15b8649c4
                            • Instruction Fuzzy Hash: 46929F30900689DFDF15DFA9C884BAEBBB1BF59304F244099E809AB292CB75DD45CB61
                            Function 001A6868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001A686D
                              • Part of subcall function 001A6848: FindClose.KERNELBASE(00000000,?,001A6880), ref: 001A6853
                            • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 001A68A5
                            • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 001A68DE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: Find$FileFirst$CloseH_prolog
                            • String ID:
                            • API String ID: 3371352514-0
                            • Opcode ID: 9763f92b30686789b007a360e628ddecc54736413aca8914357d7ffbdfd695d1
                            • Instruction ID: 3403359f2365ce30f5e35f37208cb5c8b17f3c44d6d6650703942a2d1dbd22f9
                            • Opcode Fuzzy Hash: 9763f92b30686789b007a360e628ddecc54736413aca8914357d7ffbdfd695d1
                            • Instruction Fuzzy Hash: 3E110475400309DFCF10EF68D8555EDB779EF22324F244229E9A057192DB358E86DB40
                            Function 001DA013 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 690COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 1da013-1da01a 1 1da37a-1da544 call 1e04d2 call 1a1524 call 1e04d2 call 1a1524 call 1a1e0c 0->1 2 1da020-1da02d call 1b1ac8 0->2 64 1da546-1da54f call 1db0fa 1->64 65 1da551 1->65 8 1da22e-1da235 2->8 9 1da033-1da03a 2->9 10 1da23b-1da24d call 1db4f6 8->10 11 1da367-1da375 call 1db55f 8->11 13 1da03c-1da042 9->13 14 1da054-1da089 call 1d92d3 9->14 26 1da24f-1da253 10->26 27 1da259-1da2fb call 1c7ebb call 1a27bb call 1a26dd call 1c3d70 call 1dad99 call 1a27bb 10->27 25 1dac23-1dac2a 11->25 13->14 17 1da044-1da04f call 1a30ea 13->17 29 1da099 14->29 30 1da08b-1da091 14->30 17->14 35 1dac2c-1dac33 25->35 36 1dac3a-1dac66 call 1db96d call 1a1e40 call 1c3247 25->36 26->27 92 1da2fd 27->92 93 1da303-1da362 call 1db6ab call 1d2db9 call 1a1e40 * 2 call 1dbff8 27->93 34 1da09d-1da0de call 1a2fec call 1db369 29->34 30->29 33 1da093-1da097 30->33 33->34 55 1da0ea-1da0fa 34->55 56 1da0e0-1da0e4 34->56 35->36 37 1dac35 35->37 70 1dac6e-1dacb5 call 1a1e40 call 1a11c2 call 1dbe0c call 1d2db9 36->70 71 1dac68-1dac6a 36->71 43 1dac35 call 1db988 37->43 43->36 60 1da10d 55->60 61 1da0fc-1da102 55->61 56->55 69 1da114-1da19e call 1a2fec call 1c7ebb call 1dad99 60->69 61->60 68 1da104-1da10b 61->68 67 1da553-1da55c 64->67 65->67 74 1da55e-1da560 67->74 75 1da564-1da5c1 call 1a2fec call 1db277 67->75 68->69 104 1da1a2 call 1cf8e0 69->104 71->70 74->75 98 1da5cd-1da652 call 1dad06 call 1dbf3e call 1b3a29 call 1a2e04 call 1c4345 75->98 99 1da5c3-1da5c7 75->99 92->93 93->25 136 1da654-1da671 call 1c375c call 1db96d 98->136 137 1da676-1da6c8 call 1c2096 98->137 99->98 105 1da1a7-1da1b1 104->105 109 1da1c0-1da1c9 105->109 110 1da1b3-1da1bb call 1dc7d7 105->110 116 1da1cb 109->116 117 1da1d1-1da229 call 1db6ab call 1d2db9 call 1a1e40 call 1dbfa4 call 1d940b 109->117 110->109 116->117 117->25 136->137 143 1da6cd-1da6d6 137->143 146 1da6d8-1da6dd call 1dc7d7 143->146 147 1da6e2-1da6e5 143->147 146->147 149 1da72e-1da73a 147->149 150 1da6e7-1da6ee 147->150 154 1da73c-1da74a call 1a1fa0 149->154 155 1da79e-1da7aa 149->155 152 1da6f0-1da71d call 1a1fa0 fputs call 1a1fa0 call 1a1fb3 call 1a1fa0 150->152 153 1da722-1da725 150->153 152->153 153->149 159 1da727 153->159 166 1da74c-1da753 154->166 167 1da755-1da799 fputs call 1a2201 call 1a1fa0 fputs call 1a2201 call 1a1fa0 154->167 157 1da7ac-1da7b2 155->157 158 1da7d9-1da7e5 155->158 157->158 164 1da7b4-1da7d4 fputs call 1a2201 call 1a1fa0 157->164 161 1da818-1da81a 158->161 162 1da7e7-1da7ed 158->162 159->149 168 1da899-1da8a5 161->168 171 1da81c-1da82b 161->171 162->168 169 1da7f3-1da813 fputs call 1a2201 call 1a1fa0 162->169 164->158 166->155 166->167 167->155 175 1da8e9-1da8ed 168->175 176 1da8a7-1da8ad 168->176 169->161 178 1da82d-1da84c fputs call 1a2201 call 1a1fa0 171->178 179 1da851-1da85d 171->179 183 1da8ef 175->183 188 1da8f6-1da8f8 175->188 176->183 184 1da8af-1da8c2 call 1a1fa0 176->184 178->179 179->168 187 1da85f-1da872 call 1a1fa0 179->187 183->188 184->183 210 1da8c4-1da8e4 fputs call 1a2201 call 1a1fa0 184->210 187->168 211 1da874-1da894 fputs call 1a2201 call 1a1fa0 187->211 196 1daaaf-1daaeb call 1c43b3 call 1a1e40 call 1dc104 call 1dad82 188->196 197 1da8fe-1da90a 188->197 247 1dac0b-1dac1e call 1d2db9 * 2 196->247 248 1daaf1-1daaf7 196->248 198 1da910-1da91f 197->198 199 1daa73-1daa89 call 1a1fa0 197->199 198->199 207 1da925-1da929 198->207 199->196 223 1daa8b-1daaaa fputs call 1a2201 call 1a1fa0 199->223 207->196 214 1da92f-1da93d 207->214 210->175 211->168 220 1da93f-1da964 fputs call 1a2201 call 1a1fa0 214->220 221 1da96a-1da971 214->221 220->221 228 1da98f-1da9a8 fputs call 1a2201 221->228 229 1da973-1da97a 221->229 223->196 241 1da9ad-1da9bd call 1a1fa0 228->241 229->228 234 1da97c-1da982 229->234 234->228 239 1da984-1da98d 234->239 239->228 244 1daa06-1daa1f fputs call 1a2201 239->244 241->244 250 1da9bf-1daa01 fputs call 1a2201 call 1a1fa0 fputs call 1a2201 call 1a1fa0 241->250 252 1daa24-1daa29 call 1a1fa0 244->252 247->25 248->247 250->244 259 1daa2e-1daa4b fputs call 1a2201 252->259 263 1daa50-1daa5b call 1a1fa0 259->263 263->196 268 1daa5d-1daa71 call 1a1fa0 call 1d710e 263->268 268->196
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$ExceptionThrow
                            • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&&$p&&$N
                            • API String ID: 3665150552-4150196141
                            • Opcode ID: 2a70b409f157169b9c6781ea16ca3734c12c48b2c4124664611023b5f47493ee
                            • Instruction ID: 58bc046e5e68b6f14b152fc48efc291ded37fc6a32a6b7ee1d40b6a7345ad16d
                            • Opcode Fuzzy Hash: 2a70b409f157169b9c6781ea16ca3734c12c48b2c4124664611023b5f47493ee
                            • Instruction Fuzzy Hash: 2B529C35D04258DFCF26EBA4CC95BEDBBB5AF65300F14409AE44AA3291DB746E88CF11
                            Function 001DA42C Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 503COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 274 1da42c-1da433 275 1da449-1da4df call 1d545d call 1a2e04 call 1c1858 call 1a1e40 274->275 276 1da435-1da444 fputs call 1a1fa0 274->276 286 1da4ee-1da4f1 275->286 287 1da4e1-1da4e9 call 1dc7d7 275->287 276->275 289 1da50e-1da520 call 1dc73e 286->289 290 1da4f3-1da4fa 286->290 287->286 295 1dac0b-1dac2a call 1d2db9 * 2 289->295 296 1da526-1da544 call 1a1e0c 289->296 290->289 292 1da4fc-1da509 call 1d57fb 290->292 292->289 308 1dac2c-1dac33 295->308 309 1dac3a-1dac66 call 1db96d call 1a1e40 call 1c3247 295->309 304 1da546-1da54f call 1db0fa 296->304 305 1da551 296->305 307 1da553-1da55c 304->307 305->307 313 1da55e-1da560 307->313 314 1da564-1da5c1 call 1a2fec call 1db277 307->314 308->309 310 1dac35 call 1db988 308->310 327 1dac6e-1dacb5 call 1a1e40 call 1a11c2 call 1dbe0c call 1d2db9 309->327 328 1dac68-1dac6a 309->328 310->309 313->314 325 1da5cd-1da652 call 1dad06 call 1dbf3e call 1b3a29 call 1a2e04 call 1c4345 314->325 326 1da5c3-1da5c7 314->326 348 1da654-1da671 call 1c375c call 1db96d 325->348 349 1da676-1da6d6 call 1c2096 325->349 326->325 328->327 348->349 355 1da6d8-1da6dd call 1dc7d7 349->355 356 1da6e2-1da6e5 349->356 355->356 357 1da72e-1da73a 356->357 358 1da6e7-1da6ee 356->358 362 1da73c-1da74a call 1a1fa0 357->362 363 1da79e-1da7aa 357->363 360 1da6f0-1da71d call 1a1fa0 fputs call 1a1fa0 call 1a1fb3 call 1a1fa0 358->360 361 1da722-1da725 358->361 360->361 361->357 367 1da727 361->367 374 1da74c-1da753 362->374 375 1da755-1da799 fputs call 1a2201 call 1a1fa0 fputs call 1a2201 call 1a1fa0 362->375 365 1da7ac-1da7b2 363->365 366 1da7d9-1da7e5 363->366 365->366 372 1da7b4-1da7d4 fputs call 1a2201 call 1a1fa0 365->372 369 1da818-1da81a 366->369 370 1da7e7-1da7ed 366->370 367->357 376 1da899-1da8a5 369->376 379 1da81c-1da82b 369->379 370->376 377 1da7f3-1da813 fputs call 1a2201 call 1a1fa0 370->377 372->366 374->363 374->375 375->363 383 1da8e9-1da8ed 376->383 384 1da8a7-1da8ad 376->384 377->369 386 1da82d-1da84c fputs call 1a2201 call 1a1fa0 379->386 387 1da851-1da85d 379->387 391 1da8ef 383->391 396 1da8f6-1da8f8 383->396 384->391 392 1da8af-1da8c2 call 1a1fa0 384->392 386->387 387->376 395 1da85f-1da872 call 1a1fa0 387->395 391->396 392->391 418 1da8c4-1da8e4 fputs call 1a2201 call 1a1fa0 392->418 395->376 419 1da874-1da894 fputs call 1a2201 call 1a1fa0 395->419 404 1daaaf-1daaeb call 1c43b3 call 1a1e40 call 1dc104 call 1dad82 396->404 405 1da8fe-1da90a 396->405 404->295 455 1daaf1-1daaf7 404->455 406 1da910-1da91f 405->406 407 1daa73-1daa89 call 1a1fa0 405->407 406->407 415 1da925-1da929 406->415 407->404 431 1daa8b-1daaaa fputs call 1a2201 call 1a1fa0 407->431 415->404 422 1da92f-1da93d 415->422 418->383 419->376 428 1da93f-1da964 fputs call 1a2201 call 1a1fa0 422->428 429 1da96a-1da971 422->429 428->429 436 1da98f-1da9a8 fputs call 1a2201 429->436 437 1da973-1da97a 429->437 431->404 449 1da9ad-1da9bd call 1a1fa0 436->449 437->436 442 1da97c-1da982 437->442 442->436 447 1da984-1da98d 442->447 447->436 452 1daa06-1daa4b fputs call 1a2201 call 1a1fa0 fputs call 1a2201 447->452 449->452 457 1da9bf-1daa01 fputs call 1a2201 call 1a1fa0 fputs call 1a2201 call 1a1fa0 449->457 467 1daa50-1daa5b call 1a1fa0 452->467 455->295 457->452 467->404 472 1daa5d-1daa71 call 1a1fa0 call 1d710e 467->472 472->404
                            APIs
                            • fputs.MSVCRT(Scanning the drive for archives:), ref: 001DA43E
                              • Part of subcall function 001A1FA0: fputc.MSVCRT ref: 001A1FA7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputcfputs
                            • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&&$p&&$!"$N
                            • API String ID: 269475090-1156372383
                            • Opcode ID: ba220cdfe8e034084be3390697a3d1d74e23afb6bdc6bab6a3f10a58753e9fae
                            • Instruction ID: ccb0a9ebe66ccf38f9ad736980f5b9120ffbaaf21e440ece4d5a6ca78eb6a8dc
                            • Opcode Fuzzy Hash: ba220cdfe8e034084be3390697a3d1d74e23afb6bdc6bab6a3f10a58753e9fae
                            • Instruction Fuzzy Hash: AC22B035904258DFDF2AEBA4C895BEDFBF1AF65300F10409AE44A63291DB756E88CF11
                            Function 001D8012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 777 1d8012-1d8032 call 23fb10 780 1d8038-1d806c fputs call 1d8341 777->780 781 1d8285 777->781 785 1d806e-1d8071 780->785 786 1d80c8-1d80cd 780->786 782 1d8287-1d8295 781->782 789 1d808b-1d808d 785->789 790 1d8073-1d8089 fputs call 1a1fa0 785->790 787 1d80cf-1d80d4 786->787 788 1d80d6-1d80df 786->788 793 1d80e2-1d8110 call 1d8341 call 1d8622 787->793 788->793 791 1d808f-1d8094 789->791 792 1d8096-1d809f 789->792 790->786 795 1d80a2-1d80c7 call 1a2e47 call 1d85c6 call 1a1e40 791->795 792->795 804 1d811e-1d812f call 1d8565 793->804 805 1d8112-1d8119 call 1d831f 793->805 795->786 804->782 812 1d8135-1d813f 804->812 805->804 813 1d814d-1d815b 812->813 814 1d8141-1d8148 call 1d82bb 812->814 813->782 817 1d8161-1d8164 813->817 814->813 818 1d81b6-1d81c0 817->818 819 1d8166-1d8186 817->819 820 1d8276-1d827f 818->820 821 1d81c6-1d81e1 fputs 818->821 823 1d818c-1d8196 call 1d8565 819->823 824 1d8298-1d829d 819->824 820->780 820->781 821->820 827 1d81e7-1d81fb 821->827 829 1d819b-1d819d 823->829 828 1d82b1-1d82b9 SysFreeString 824->828 830 1d81fd-1d821f 827->830 831 1d8273 827->831 828->782 829->824 832 1d81a3-1d81b4 SysFreeString 829->832 834 1d829f-1d82a1 830->834 835 1d8221-1d8245 830->835 831->820 832->818 832->819 836 1d82ae 834->836 838 1d8247-1d8271 call 1d84a7 call 1a965d SysFreeString 835->838 839 1d82a3-1d82ab call 1a965d 835->839 836->828 838->830 838->831 839->836
                            APIs
                            • __EH_prolog.LIBCMT ref: 001D8017
                            • fputs.MSVCRT ref: 001D804D
                              • Part of subcall function 001D8341: __EH_prolog.LIBCMT ref: 001D8346
                              • Part of subcall function 001D8341: fputs.MSVCRT ref: 001D835B
                              • Part of subcall function 001D8341: fputs.MSVCRT ref: 001D8364
                            • fputs.MSVCRT ref: 001D807A
                              • Part of subcall function 001A1FA0: fputc.MSVCRT ref: 001A1FA7
                              • Part of subcall function 001A965D: VariantClear.OLEAUT32(?), ref: 001A967F
                            • SysFreeString.OLEAUT32(00000000), ref: 001D81AA
                            • fputs.MSVCRT ref: 001D81CD
                            • SysFreeString.OLEAUT32(00000000), ref: 001D8267
                            • SysFreeString.OLEAUT32(00000000), ref: 001D82B1
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                            • String ID: --$----$Path$Type$Warning: The archive is open with offset
                            • API String ID: 2889736305-3797937567
                            • Opcode ID: f159eb5de507eaad36fe54800f3f585369cff4cf4cdb3d4e70332c997cd84a1d
                            • Instruction ID: 94d70582e75aa1dcf134fd769061f9d7a46a4eb7fd5b65b8910c5081ae2b18da
                            • Opcode Fuzzy Hash: f159eb5de507eaad36fe54800f3f585369cff4cf4cdb3d4e70332c997cd84a1d
                            • Instruction Fuzzy Hash: CF916971A10605EFDB18EFA8DD85AAEB7B5FF58310F20412AE416A7391DB70AD05CB60
                            Function 001D6766 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 846 1d6766-1d6792 call 23fb10 EnterCriticalSection 849 1d67af-1d67b7 846->849 850 1d6794-1d6799 call 1dc7d7 846->850 852 1d67be-1d67c3 849->852 853 1d67b9 call 1a1f91 849->853 854 1d679e-1d67ac 850->854 856 1d67c9-1d67d5 852->856 857 1d6892-1d68a8 852->857 853->852 854->849 858 1d6817-1d682f 856->858 859 1d67d7-1d67dd 856->859 860 1d68ae-1d68b4 857->860 861 1d6941 857->861 865 1d6831-1d6842 call 1a1fa0 858->865 866 1d6873-1d687b 858->866 859->858 863 1d67df-1d67eb 859->863 860->861 864 1d68ba-1d68c2 860->864 862 1d6943-1d695a 861->862 870 1d67ed 863->870 871 1d67f3-1d6801 863->871 869 1d6933-1d693f call 1dc5cd 864->869 872 1d68c4-1d68e6 call 1a1fa0 fputs 864->872 865->866 879 1d6844-1d686c fputs call 1a2201 865->879 868 1d6881-1d6887 866->868 866->869 868->869 875 1d688d 868->875 869->862 870->871 871->866 877 1d6803-1d6815 fputs 871->877 884 1d68e8-1d68f9 fputs 872->884 885 1d68fb-1d6917 call 1b4f2a call 1a1fb3 call 1a1e40 872->885 880 1d692e call 1a1f91 875->880 882 1d686e call 1a1fa0 877->882 879->882 880->869 882->866 889 1d691c-1d6928 call 1a1fa0 884->889 885->889 889->880
                            APIs
                            • __EH_prolog.LIBCMT ref: 001D676B
                            • EnterCriticalSection.KERNEL32(00262938), ref: 001D6781
                            • fputs.MSVCRT ref: 001D680B
                            • LeaveCriticalSection.KERNEL32(00262938), ref: 001D6944
                              • Part of subcall function 001DC7D7: fputs.MSVCRT ref: 001DC840
                            • fputs.MSVCRT ref: 001D6851
                              • Part of subcall function 001A2201: fputs.MSVCRT ref: 001A221E
                            • fputs.MSVCRT ref: 001D68D9
                            • fputs.MSVCRT ref: 001D68F6
                              • Part of subcall function 001A1FA0: fputc.MSVCRT ref: 001A1FA7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                            • String ID: v$8)&$8)&$Sub items Errors:
                            • API String ID: 2670240366-4130591893
                            • Opcode ID: 44cb8b1d5e4cb61e5a1121a7a905ae614bea0f22233bbbda8d53b1b97ebb53a0
                            • Instruction ID: 93c5219f43163d553476db8eefe8dddbb766846bbc9c195e44263c5875db0a51
                            • Opcode Fuzzy Hash: 44cb8b1d5e4cb61e5a1121a7a905ae614bea0f22233bbbda8d53b1b97ebb53a0
                            • Instruction Fuzzy Hash: 5051CB36601B40DFCB28DF64D9A4AAAB7E2FF95310F20482EE19A87261CB307C44CB40
                            Function 001D6359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 898 1d6359-1d6373 call 23fb10 901 1d639e-1d63af call 1d5a4d 898->901 902 1d6375-1d6385 call 1dc7d7 898->902 908 1d65ee-1d65f1 901->908 909 1d63b5-1d63cd 901->909 902->901 907 1d6387-1d639b 902->907 907->901 910 1d6624-1d663c 908->910 911 1d65f3-1d65fb 908->911 912 1d63cf 909->912 913 1d63d2-1d63d4 909->913 916 1d663e call 1a1f91 910->916 917 1d6643-1d664b 910->917 914 1d66ea call 1dc5cd 911->914 915 1d6601-1d6607 call 1d8012 911->915 912->913 918 1d63df-1d63e7 913->918 919 1d63d6-1d63d9 913->919 929 1d66ef-1d66fd 914->929 930 1d660c-1d660e 915->930 916->917 917->914 924 1d6651-1d668f fputs call 1a211a call 1a1fa0 call 1d8685 917->924 925 1d63e9-1d63f2 call 1a1fa0 918->925 926 1d6411-1d6413 918->926 919->918 923 1d64b1-1d64bc call 1d6700 919->923 947 1d64be-1d64c1 923->947 948 1d64c7-1d64cf 923->948 924->929 983 1d6691-1d6697 924->983 925->926 943 1d63f4-1d640c call 1a210c call 1a1fa0 925->943 931 1d6415-1d641d 926->931 932 1d6442-1d6446 926->932 930->929 936 1d6614-1d661f call 1a1fa0 930->936 937 1d641f-1d6425 call 1d6134 931->937 938 1d642a-1d643b 931->938 940 1d6448-1d6450 932->940 941 1d6497-1d649f 932->941 936->914 937->938 938->932 949 1d647f-1d6490 940->949 950 1d6452-1d647a fputs call 1a1fa0 call 1a1fb3 call 1a1fa0 940->950 941->923 944 1d64a1-1d64ac call 1a1fa0 call 1a1f91 941->944 943->926 944->923 947->948 955 1d65a2-1d65a6 947->955 956 1d64f9-1d64fb 948->956 957 1d64d1-1d64da call 1a1fa0 948->957 949->941 950->949 964 1d65a8-1d65b6 955->964 965 1d65da-1d65e6 955->965 961 1d64fd-1d6505 956->961 962 1d652a-1d652e 956->962 957->956 980 1d64dc-1d64f4 call 1a210c call 1a1fa0 957->980 973 1d6507-1d650d call 1d6134 961->973 974 1d6512-1d6523 961->974 976 1d657f-1d6587 962->976 977 1d6530-1d6538 962->977 978 1d65b8-1d65ca call 1d6244 964->978 979 1d65d3 964->979 965->909 970 1d65ec 965->970 970->908 973->974 974->962 976->955 982 1d6589-1d6595 call 1a1fa0 976->982 985 1d653a-1d6562 fputs call 1a1fa0 call 1a1fb3 call 1a1fa0 977->985 986 1d6567-1d6578 977->986 978->979 1001 1d65cc-1d65ce call 1a1f91 978->1001 979->965 980->956 982->955 1003 1d6597-1d659d call 1a1f91 982->1003 991 1d66df-1d66e5 call 1a1f91 983->991 992 1d6699-1d669f 983->992 985->986 986->976 991->914 998 1d66a1-1d66b1 fputs 992->998 999 1d66b3-1d66ce call 1b4f2a call 1a1fb3 call 1a1e40 992->999 1004 1d66d3-1d66da call 1a1fa0 998->1004 999->1004 1001->979 1003->955 1004->991
                            APIs
                            • __EH_prolog.LIBCMT ref: 001D635E
                            • fputs.MSVCRT ref: 001D645F
                              • Part of subcall function 001DC7D7: fputs.MSVCRT ref: 001DC840
                            • fputs.MSVCRT ref: 001D6547
                            • fputs.MSVCRT ref: 001D665F
                            • fputs.MSVCRT ref: 001D66AE
                              • Part of subcall function 001A1F91: fflush.MSVCRT ref: 001A1F93
                              • Part of subcall function 001A1FB3: __EH_prolog.LIBCMT ref: 001A1FB8
                              • Part of subcall function 001A1E40: free.MSVCRT ref: 001A1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog$fflushfree
                            • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                            • API String ID: 1750297421-1898165966
                            • Opcode ID: 7f7610c12a951709e5e53f9f62796f4dfa6c11c6fd5a4c2147b5a8b73626b0a0
                            • Instruction ID: ee3657c31ff6cd3044ea4040ba3f8323bcffa0bdba178425830729e6c9a36a94
                            • Opcode Fuzzy Hash: 7f7610c12a951709e5e53f9f62796f4dfa6c11c6fd5a4c2147b5a8b73626b0a0
                            • Instruction Fuzzy Hash: 39B19A356017019FDB28EF64D9A1BAAB7E2BF55304F04852EE55A87392CB74AC48CF50
                            Function 001A6C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1563 1a6c72-1a6c8e call 23fb10 1566 1a6c90-1a6c94 1563->1566 1567 1a6c96-1a6c9e 1563->1567 1566->1567 1568 1a6cd3-1a6cdc call 1a8664 1566->1568 1569 1a6ca0-1a6ca4 1567->1569 1570 1a6ca6-1a6cae 1567->1570 1575 1a6ce2-1a6d02 call 1a67f0 call 1a2f88 call 1a87df 1568->1575 1576 1a6d87-1a6d92 call 1a88c6 1568->1576 1569->1568 1569->1570 1570->1568 1571 1a6cb0-1a6cb5 1570->1571 1571->1568 1573 1a6cb7-1a6cce call 1a67f0 call 1a2f88 1571->1573 1590 1a715d-1a715f 1573->1590 1601 1a6d4a-1a6d61 call 1a7b41 1575->1601 1602 1a6d04-1a6d09 1575->1602 1585 1a6d98-1a6d9e 1576->1585 1586 1a6f4c-1a6f62 call 1a87fa 1576->1586 1585->1586 1589 1a6da4-1a6dc7 call 1a2e47 * 2 1585->1589 1596 1a6f67-1a6f74 call 1a85e2 1586->1596 1597 1a6f64-1a6f66 1586->1597 1612 1a6dc9-1a6dcf 1589->1612 1613 1a6dd4-1a6dda 1589->1613 1594 1a7118-1a7126 1590->1594 1608 1a6fd1-1a6fd8 1596->1608 1609 1a6f76-1a6f7c 1596->1609 1597->1596 1620 1a6d63-1a6d65 1601->1620 1621 1a6d67-1a6d6b 1601->1621 1602->1601 1605 1a6d0b-1a6d38 call 1a9252 1602->1605 1605->1601 1631 1a6d3a-1a6d45 1605->1631 1616 1a6fda-1a6fde 1608->1616 1617 1a6fe4-1a6feb 1608->1617 1609->1608 1618 1a6f7e-1a6f8a call 1a6bf5 1609->1618 1612->1613 1614 1a6ddc-1a6def call 1a2407 1613->1614 1615 1a6df1-1a6df9 call 1a3221 1613->1615 1614->1615 1634 1a6dfe-1a6e0b call 1a87df 1614->1634 1615->1634 1616->1617 1627 1a70e5-1a70ea call 1a6868 1616->1627 1628 1a701d-1a7024 call 1a8782 1617->1628 1629 1a6fed-1a6ff7 call 1a6bf5 1617->1629 1618->1627 1643 1a6f90-1a6f93 1618->1643 1622 1a6d7a-1a6d82 call 1a764c 1620->1622 1623 1a6d78 1621->1623 1624 1a6d6d-1a6d75 1621->1624 1648 1a7116 1622->1648 1623->1622 1624->1623 1639 1a70ef-1a70f3 1627->1639 1628->1627 1645 1a702a-1a7035 1628->1645 1629->1627 1650 1a6ffd-1a7000 1629->1650 1631->1590 1655 1a6e0d-1a6e10 1634->1655 1656 1a6e43-1a6e50 call 1a6c72 1634->1656 1646 1a710c 1639->1646 1647 1a70f5-1a70f7 1639->1647 1643->1627 1651 1a6f99-1a6fb6 call 1a67f0 call 1a2f88 1643->1651 1645->1627 1652 1a703b-1a7044 call 1a8578 1645->1652 1654 1a710e-1a7111 call 1a6848 1646->1654 1647->1646 1653 1a70f9-1a7102 1647->1653 1648->1594 1650->1627 1657 1a7006-1a701b call 1a67f0 1650->1657 1684 1a6fb8-1a6fbd 1651->1684 1685 1a6fc2-1a6fc5 call 1a717b 1651->1685 1652->1627 1674 1a704a-1a7054 call 1a717b 1652->1674 1653->1646 1660 1a7104-1a7107 call 1a717b 1653->1660 1654->1648 1663 1a6e1e-1a6e36 call 1a67f0 1655->1663 1664 1a6e12-1a6e15 1655->1664 1675 1a6f3a-1a6f4b call 1a1e40 * 2 1656->1675 1676 1a6e56 1656->1676 1677 1a6fca-1a6fcc 1657->1677 1660->1646 1681 1a6e58-1a6e7e call 1a2f1c call 1a2e04 1663->1681 1683 1a6e38-1a6e41 call 1a2fec 1663->1683 1664->1656 1670 1a6e17-1a6e1c 1664->1670 1670->1656 1670->1663 1692 1a7056-1a705f call 1a2f88 1674->1692 1693 1a7064-1a7097 call 1a2e47 call 1a1089 * 2 call 1a6868 1674->1693 1675->1586 1676->1681 1677->1654 1701 1a6e83-1a6e99 call 1a6bb5 1681->1701 1683->1681 1684->1685 1685->1677 1703 1a7155-1a7158 call 1a6848 1692->1703 1725 1a7099-1a70af wcscmp 1693->1725 1726 1a70bf-1a70cc call 1a6bf5 1693->1726 1709 1a6e9b-1a6e9f 1701->1709 1710 1a6ecf-1a6ed1 1701->1710 1703->1590 1714 1a6ea1-1a6eae call 1a22bf 1709->1714 1715 1a6ec7-1a6ec9 SetLastError 1709->1715 1713 1a6f09-1a6f35 call 1a1e40 * 2 call 1a6848 call 1a1e40 * 2 1710->1713 1713->1648 1723 1a6ed3-1a6ed9 1714->1723 1724 1a6eb0-1a6ec5 call 1a1e40 call 1a2e04 1714->1724 1715->1710 1732 1a6edb-1a6ee0 1723->1732 1733 1a6eec-1a6f07 call 1a31e5 1723->1733 1724->1701 1729 1a70bb 1725->1729 1730 1a70b1-1a70b6 1725->1730 1743 1a7129-1a7133 call 1a67f0 1726->1743 1744 1a70ce-1a70d1 1726->1744 1729->1726 1736 1a7147-1a7154 call 1a2f88 call 1a1e40 1730->1736 1732->1733 1738 1a6ee2-1a6ee8 1732->1738 1733->1713 1736->1703 1738->1733 1759 1a713a 1743->1759 1760 1a7135-1a7138 1743->1760 1749 1a70d8-1a70e4 call 1a1e40 1744->1749 1750 1a70d3-1a70d6 1744->1750 1749->1627 1750->1743 1750->1749 1762 1a7141-1a7144 1759->1762 1760->1762 1762->1736
                            APIs
                            • __EH_prolog.LIBCMT ref: 001A6C77
                            • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 001A6EC9
                              • Part of subcall function 001A6C72: wcscmp.MSVCRT ref: 001A70A5
                              • Part of subcall function 001A6BF5: __EH_prolog.LIBCMT ref: 001A6BFA
                              • Part of subcall function 001A6BF5: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 001A6C1A
                              • Part of subcall function 001A6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 001A6C49
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                            • String ID: :$DATA
                            • API String ID: 3316598575-2587938151
                            • Opcode ID: 0f621f108a937a72c0b2ab877db3b0313b8fbbc92bf87a31930e6dbe66327ee9
                            • Instruction ID: bf7541b2f7805c1bee705b2b1e1e433774813cba1eef848c5adce3c9c2f16e62
                            • Opcode Fuzzy Hash: 0f621f108a937a72c0b2ab877db3b0313b8fbbc92bf87a31930e6dbe66327ee9
                            • Instruction Fuzzy Hash: C5E1357C9002089ECF25EFA8C895BEEB7B1EF27314F14451DE846672D2DB71AA49CB10
                            Function 001D84A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog
                            • String ID: =
                            • API String ID: 2614055831-2525689732
                            • Opcode ID: 2c6b06ed75931f9f3f5c6fd655aa9b27c7667936e93412c837c565dbe15f5fd6
                            • Instruction ID: 21762e06452c7698d791a7bd4814bcaf626483ae9d06aae7274d6d8a97b2b43a
                            • Opcode Fuzzy Hash: 2c6b06ed75931f9f3f5c6fd655aa9b27c7667936e93412c837c565dbe15f5fd6
                            • Instruction Fuzzy Hash: 0B218E36904118ABCF0AEB94E942BEDBBB5EF69310F20002BE40172192DF716E55CB91
                            Function 001D8341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001D8346
                            • fputs.MSVCRT ref: 001D835B
                            • fputs.MSVCRT ref: 001D8364
                              • Part of subcall function 001D83BF: __EH_prolog.LIBCMT ref: 001D83C4
                              • Part of subcall function 001D83BF: fputs.MSVCRT ref: 001D8401
                              • Part of subcall function 001D83BF: fputs.MSVCRT ref: 001D8437
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog
                            • String ID: =
                            • API String ID: 2614055831-2525689732
                            • Opcode ID: eeca4e07488cb39b84d0adf8f8ebac2db1864ae6479aa6c7c3ad7dcc7c7f9483
                            • Instruction ID: c034959ed6be8338935e2738cb823f131adf730069268ec7d85a36f5e06ed554
                            • Opcode Fuzzy Hash: eeca4e07488cb39b84d0adf8f8ebac2db1864ae6479aa6c7c3ad7dcc7c7f9483
                            • Instruction Fuzzy Hash: 1E018675A00004BFCF16BBA8D812AEEBF76FF95750F00401AF405922A2CF759A55DBD1
                            Function 001C2096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001C209B
                              • Part of subcall function 001A757D: GetLastError.KERNEL32(001AD14C), ref: 001A757D
                              • Part of subcall function 001C2C6C: __EH_prolog.LIBCMT ref: 001C2C71
                              • Part of subcall function 001A1E40: free.MSVCRT ref: 001A1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ErrorLastfree
                            • String ID: Cannot find archive file$The item is a directory
                            • API String ID: 683690243-1569138187
                            • Opcode ID: 27e308c7c13494b72e39481e07a583674042c8aa5a0339ec6d5bc83956426026
                            • Instruction ID: adfba7c9fecf84ba27fd274dff63c68ff0153ca280e351bdc9f60228b49bbd28
                            • Opcode Fuzzy Hash: 27e308c7c13494b72e39481e07a583674042c8aa5a0339ec6d5bc83956426026
                            • Instruction Fuzzy Hash: 54721574D00258DFCB26DFA8C984BDDBBB5AF69304F14809EE859A7252C7709E81CF51
                            Function 001DC911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: CountTickfputs
                            • String ID: .
                            • API String ID: 290905099-4150638102
                            • Opcode ID: e9c175649d2970a703f4ae86fc123eb6fe313baf91e367d8e7ea86d7398e9b1d
                            • Instruction ID: e58613068dc87ff7eacd3978a0a0e1798a2d9f9352c5c74eb77f04fe68875b35
                            • Opcode Fuzzy Hash: e9c175649d2970a703f4ae86fc123eb6fe313baf91e367d8e7ea86d7398e9b1d
                            • Instruction Fuzzy Hash: 4D716834600B059FCB25EF68C5D1AAAB7F6AF92304F104D1EE09787A81DB74F949CB51
                            Function 001E08B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 001A9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 001A9CB3
                              • Part of subcall function 001A9C8F: GetProcAddress.KERNEL32(00000000), ref: 001A9CBA
                              • Part of subcall function 001A9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 001A9CC8
                            • __aulldiv.LIBCMT ref: 001E093F
                            • __aulldiv.LIBCMT ref: 001E094B
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                            • String ID: 3333
                            • API String ID: 3520896023-2924271548
                            • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                            • Instruction ID: 8f7c06edf8db286b75a2c2c61d83ca0a68c647b4fa69ffc230487497edfbe60c
                            • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                            • Instruction Fuzzy Hash: 1421B5F1D007446FE734DF6A9881A5FBAF9EB88714F00892EF18AD7242D770A9408B65
                            Function 001CA7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 001A1E40: free.MSVCRT ref: 001A1E44
                            • memset.MSVCRT ref: 001CAEBA
                            • memset.MSVCRT ref: 001CAECD
                              • Part of subcall function 001E04D2: _CxxThrowException.MSVCRT(?,00254A58), ref: 001E04F8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: memset$ExceptionThrowfree
                            • String ID: Split
                            • API String ID: 1404239998-1882502421
                            • Opcode ID: 64ec0937c8bd310922658dfc80c3bc8e66d91168f383878bf0151501aadb789d
                            • Instruction ID: 57176704235ec017e46ba1e88e95d5b2ee6befb9513830201c9cc6e6c8bc1df7
                            • Opcode Fuzzy Hash: 64ec0937c8bd310922658dfc80c3bc8e66d91168f383878bf0151501aadb789d
                            • Instruction Fuzzy Hash: 3A424934A00248DFDF26DBA4C984BADBBB1AF25308F54409DE549A7252CB71EE85CB52
                            Function 001A6096 Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001A609B
                              • Part of subcall function 001A6BF5: __EH_prolog.LIBCMT ref: 001A6BFA
                              • Part of subcall function 001A6BF5: GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 001A6C1A
                              • Part of subcall function 001A6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 001A6C49
                            • DeleteFileW.KERNELBASE(?,?,?,00000000), ref: 001A60DF
                            • DeleteFileW.KERNEL32(?,00000000,?,?,00000000), ref: 001A6111
                              • Part of subcall function 001A5A8C: __EH_prolog.LIBCMT ref: 001A5A91
                              • Part of subcall function 001A5A8C: SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 001A5AB7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: File$AttributesH_prolog$Delete
                            • String ID:
                            • API String ID: 579516761-0
                            • Opcode ID: 18a252fd1da47574847cb9a1777b9f95c5ba3355791003e5a163b0bcd829b013
                            • Instruction ID: 85580393878337a544a2d0f50a3f94ea9340233249f467203e213b93fab4b737
                            • Opcode Fuzzy Hash: 18a252fd1da47574847cb9a1777b9f95c5ba3355791003e5a163b0bcd829b013
                            • Instruction Fuzzy Hash: 77112BBEA0020457CF1976B499826BD6B56DFA73A4F1C0535ED11A32D3CF318C469590
                            Function 001D83BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • fputs.MSVCRT ref: 001D8437
                            • fputs.MSVCRT ref: 001D8401
                              • Part of subcall function 001A1FB3: __EH_prolog.LIBCMT ref: 001A1FB8
                            • __EH_prolog.LIBCMT ref: 001D83C4
                              • Part of subcall function 001A1FA0: fputc.MSVCRT ref: 001A1FA7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologfputs$fputc
                            • String ID:
                            • API String ID: 678540050-0
                            • Opcode ID: 5db2d08869e70924f533165cf3d50c58ad42474f81d2e1395286e45f3b87fa9f
                            • Instruction ID: c6cce8ddde8e9f03add54cd0e8ddcd82f68698de441e8275ee03372fdb45ed38
                            • Opcode Fuzzy Hash: 5db2d08869e70924f533165cf3d50c58ad42474f81d2e1395286e45f3b87fa9f
                            • Instruction Fuzzy Hash: F611E939B041056FCF09BBA4DD136AEBB76EF92750F10002AF502932D1DF6519198AD4
                            Function 001A6BF5 Relevance: 4.5, APIs: 3, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001A6BFA
                            • GetFileAttributesW.KERNELBASE(?,?,?,00000000,?), ref: 001A6C1A
                              • Part of subcall function 001A1E40: free.MSVCRT ref: 001A1E44
                            • GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 001A6C49
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: AttributesFile$H_prologfree
                            • String ID:
                            • API String ID: 86656847-0
                            • Opcode ID: 0004a3d05ad3feae686369633685c92c97ff2ab437910f8d583c77429dbb28c4
                            • Instruction ID: 8e9cccb16888e1648e3198ef7db05064d695bd3449041455eb4809998f790236
                            • Opcode Fuzzy Hash: 0004a3d05ad3feae686369633685c92c97ff2ab437910f8d583c77429dbb28c4
                            • Instruction Fuzzy Hash: 6C01F43EA40104A7CF1677F8A8C26BEBB65EF5A370F180626FD15A3292CF714C455590
                            Function 001C2CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001C2CE0
                              • Part of subcall function 001A5E10: __EH_prolog.LIBCMT ref: 001A5E15
                              • Part of subcall function 001B41EC: _CxxThrowException.MSVCRT(?,00254A58), ref: 001B421A
                              • Part of subcall function 001A965D: VariantClear.OLEAUT32(?), ref: 001A967F
                            Strings
                            • Cannot create output directory, xrefs: 001C3070
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ClearExceptionThrowVariant
                            • String ID: Cannot create output directory
                            • API String ID: 814188403-1181934277
                            • Opcode ID: 8ab969502393cd55929fcad06a7fdd33e9fe0ba8b92745f550a161f21b8648af
                            • Instruction ID: d173f69973e38a32fa5c094910bf582f8c7cdb7a7eefb1f385302fb52c429de8
                            • Opcode Fuzzy Hash: 8ab969502393cd55929fcad06a7fdd33e9fe0ba8b92745f550a161f21b8648af
                            • Instruction Fuzzy Hash: 7EF1A075900289EFCF25EFA8C891EEDBBB5BF29300F1440ADE44567252DB31AE49CB51
                            Function 001DC7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • fputs.MSVCRT ref: 001DC840
                              • Part of subcall function 001A25CB: _CxxThrowException.MSVCRT(?,00254A58), ref: 001A25ED
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrowfputs
                            • String ID:
                            • API String ID: 1334390793-399585960
                            • Opcode ID: 382190691a477719d6216c0600a0645453a3e1bc506f2be1337c5b649eb0e59e
                            • Instruction ID: 3e099afca83acaf80dfbebe787272bea77ec7a64c5251bb665fed890db48047b
                            • Opcode Fuzzy Hash: 382190691a477719d6216c0600a0645453a3e1bc506f2be1337c5b649eb0e59e
                            • Instruction Fuzzy Hash: 1B11BF71604745AFDB25CF59C8C5BAAFBE6EF5A304F14446EE18A8B251C7B1B804CBA0
                            Function 001D6086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID: Open
                            • API String ID: 1795875747-71445658
                            • Opcode ID: 422f260f4dc36f2eca380f58fbeb355e37577afec883e920d0381df73898d132
                            • Instruction ID: 67d282f8336e4fc12acd9d339928bb65d01b12c0f49719cade538a89b42f2d58
                            • Opcode Fuzzy Hash: 422f260f4dc36f2eca380f58fbeb355e37577afec883e920d0381df73898d132
                            • Instruction Fuzzy Hash: 3F11E0361017009FC760EF34ED91ADABBA1EF65310F50892FE09A83212DB71A804CF50
                            Function 001F06AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001F06B3
                            • _CxxThrowException.MSVCRT(?,0025D480), ref: 001F08F2
                              • Part of subcall function 001A1E0C: malloc.MSVCRT ref: 001A1E1F
                              • Part of subcall function 001A1E0C: _CxxThrowException.MSVCRT(?,00254B28), ref: 001A1E39
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrow$H_prologmalloc
                            • String ID:
                            • API String ID: 3044594480-0
                            • Opcode ID: 888f125dab9b20dbde7fc60687593810d2d0b6a2bd67e25c1543e56112748b8b
                            • Instruction ID: 9756bb7e2cf458fc0bd436a848fde8e9932dbd55bf2bd5bb5dd2590e80e1823f
                            • Opcode Fuzzy Hash: 888f125dab9b20dbde7fc60687593810d2d0b6a2bd67e25c1543e56112748b8b
                            • Instruction Fuzzy Hash: BF917D75D00249DFCF22DFA9C881AEEBBB5BF19344F144199E549A3252CB30AE45CFA1
                            Function 001B6305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 36725829dea85100ce9b6073450268d321293cbfd5f42481e1a910774c68b6c7
                            • Instruction ID: 62e1a1a5917ad4735cbdce216572cc94141f48eefdc14c6101149555fc62e612
                            • Opcode Fuzzy Hash: 36725829dea85100ce9b6073450268d321293cbfd5f42481e1a910774c68b6c7
                            • Instruction Fuzzy Hash: 31F1BA70A04785DFCF35CF64C490AEABBE1BF29304F58486EE49A8B611DB34AD84CB51
                            Function 001B4250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001B4255
                              • Part of subcall function 001B440B: __EH_prolog.LIBCMT ref: 001B4410
                              • Part of subcall function 001A1E0C: malloc.MSVCRT ref: 001A1E1F
                              • Part of subcall function 001A1E0C: _CxxThrowException.MSVCRT(?,00254B28), ref: 001A1E39
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrowmalloc
                            • String ID:
                            • API String ID: 3744649731-0
                            • Opcode ID: 7f5f4da45ccfdad97d0dc94a8cf6ce4635902cf1513c6cc42cf6e93c7916ddda
                            • Instruction ID: 7f60f0d8bbbad4860bca4ad8b29a8f2f90503e6462f501d6ad69e8d34dcc83a5
                            • Opcode Fuzzy Hash: 7f5f4da45ccfdad97d0dc94a8cf6ce4635902cf1513c6cc42cf6e93c7916ddda
                            • Instruction Fuzzy Hash: 8451E4B0801B44CFC325DFA9C1846CAFBF4BF29304F5588AEC49E97652D7B4A618CB61
                            Function 001C062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 8c1cf031b37c49e6ea84a99c43992a11846e0a296bd3d025825cc0ae52aad3ce
                            • Instruction ID: bf96344d688479539972d4a7e88b6cd54613ca86578fb83fb06cc65e3234f9e0
                            • Opcode Fuzzy Hash: 8c1cf031b37c49e6ea84a99c43992a11846e0a296bd3d025825cc0ae52aad3ce
                            • Instruction Fuzzy Hash: D63118B0900619DBCB15EF95C891DAEFBB5FFA8364B20811EE42667651C7309E41CBA0
                            Function 001C021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001C021F
                              • Part of subcall function 001B3D66: __EH_prolog.LIBCMT ref: 001B3D6B
                              • Part of subcall function 001B3D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 001B3D7D
                              • Part of subcall function 001B3D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 001B3D94
                              • Part of subcall function 001B3D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 001B3DB6
                              • Part of subcall function 001B3D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 001B3DCB
                              • Part of subcall function 001B3D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 001B3DD5
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                            • String ID:
                            • API String ID: 1532160333-0
                            • Opcode ID: e70dc794a15fd7deadc343738ddb71b0879a9788329c33dbef2e1c2d00038f3e
                            • Instruction ID: d08abfc03886949c8f41548d5f3c6e855bac3ff6181014669b48e674e86c87cd
                            • Opcode Fuzzy Hash: e70dc794a15fd7deadc343738ddb71b0879a9788329c33dbef2e1c2d00038f3e
                            • Instruction Fuzzy Hash: 30214AB1846B90CFC321CF6B82D0686FFF4BB29604B94996ED0DA83B12C770A548CF55
                            Function 001E035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001E0364
                              • Part of subcall function 001E01C4: __EH_prolog.LIBCMT ref: 001E01C9
                              • Part of subcall function 001E0143: __EH_prolog.LIBCMT ref: 001E0148
                              • Part of subcall function 001A1E40: free.MSVCRT ref: 001A1E44
                              • Part of subcall function 001E03D8: __EH_prolog.LIBCMT ref: 001E03DD
                              • Part of subcall function 001E004A: __EH_prolog.LIBCMT ref: 001E004F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: e684aa6b91089712670bfc212826e629434d311ee4308083805a875625eb58b3
                            • Instruction ID: 5b7905328787fd0e037c41b0595e22ff5872ff140c8473fbdfb7883701191a52
                            • Opcode Fuzzy Hash: e684aa6b91089712670bfc212826e629434d311ee4308083805a875625eb58b3
                            • Instruction Fuzzy Hash: CDF0F470914A90EFCB1AEB68D42239DBBE5AF18314F10465DF452632D2CBF45B048744
                            Function 001D8565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 801bc7cd9d026052928f4efdef9cea0297ce813eb097fb1076123cd2c450ff2c
                            • Instruction ID: 3c939e24daeb62822f242b0dab2712db2c0ddb9ca36357e8ba654f67add439b1
                            • Opcode Fuzzy Hash: 801bc7cd9d026052928f4efdef9cea0297ce813eb097fb1076123cd2c450ff2c
                            • Instruction Fuzzy Hash: 14F0AF72E1011AABCB04EF98D8409AFFB75FF58750B00805AF415E7250CB348A01CB90
                            Function 001A2201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID:
                            • API String ID: 1795875747-0
                            • Opcode ID: 00b3638d9931729f05bdbd40ed34db8e0f5a381155ece21da7b4190ae2f14a8c
                            • Instruction ID: d2c31349874cae3307a5f93ab860affd641fe29f791c1b436e5aba4276a171e3
                            • Opcode Fuzzy Hash: 00b3638d9931729f05bdbd40ed34db8e0f5a381155ece21da7b4190ae2f14a8c
                            • Instruction Fuzzy Hash: EAD01232504119ABCF156B98EC05CDD77BCEF19214B10441AF545E2150EAB5E5148794
                            Function 001F80AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 001F80AF
                              • Part of subcall function 001A1E0C: malloc.MSVCRT ref: 001A1E1F
                              • Part of subcall function 001A1E0C: _CxxThrowException.MSVCRT(?,00254B28), ref: 001A1E39
                              • Part of subcall function 001EBDB5: __EH_prolog.LIBCMT ref: 001EBDBA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrowmalloc
                            • String ID:
                            • API String ID: 3744649731-0
                            • Opcode ID: 184e774b5c192544f4a81597488dc8d6719afb50a22b2733665023e8057c85e4
                            • Instruction ID: ceebff459a9585178d22e2c70506f4ac229808b31c9596f0937ce09ce8ad898e
                            • Opcode Fuzzy Hash: 184e774b5c192544f4a81597488dc8d6719afb50a22b2733665023e8057c85e4
                            • Instruction Fuzzy Hash: 9DD05EB1F15505AFCB4CEFB4A86676FB2A1AB48344F00457DB016E3781EF708A00CA20
                            Function 001A6848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • FindClose.KERNELBASE(00000000,?,001A6880), ref: 001A6853
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: CloseFind
                            • String ID:
                            • API String ID: 1863332320-0
                            • Opcode ID: 9d156ff950393242c37d1c82c2f001452ccf0d973a4b344910dbe8eaab3a9f6e
                            • Instruction ID: 62c1ebf50f2fe3e776b0d6e180ac8b7478495303bcd017bb0af8a877d0d61de5
                            • Opcode Fuzzy Hash: 9d156ff950393242c37d1c82c2f001452ccf0d973a4b344910dbe8eaab3a9f6e
                            • Instruction Fuzzy Hash: 64D01239104321468A645E3D78489C533DC6E077343350759F0B4C31E2E7748C835650
                            Function 001A2010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID:
                            • API String ID: 1795875747-0
                            • Opcode ID: 57e423662176098bc5533a7968f0560f321303fbdd883eead268b72c17a701a6
                            • Instruction ID: efee294c164758efab7fad3051a53ccc5d5c63b5159c22362b0acc18d56db05b
                            • Opcode Fuzzy Hash: 57e423662176098bc5533a7968f0560f321303fbdd883eead268b72c17a701a6
                            • Instruction Fuzzy Hash: B6D0C93A008251AF96656F09FC09C8BBBA5FFE6320721082FF484921609B626825DAA0
                            Function 001AC4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: memmove
                            • String ID:
                            • API String ID: 2162964266-0
                            • Opcode ID: c8e6be60a44de73470a0be0375f98e7131c656717ac2b07a9bbb6d525593dce7
                            • Instruction ID: 12cd2d0ad177675501aac84d1b3f0f882c0642860f36cef111d72112cc28f4dd
                            • Opcode Fuzzy Hash: c8e6be60a44de73470a0be0375f98e7131c656717ac2b07a9bbb6d525593dce7
                            • Instruction Fuzzy Hash: ED814E79E04249AFCF14CFA8C584AEEBBF1AF4A314F14846AE515B7341D771AA84CF90
                            Function 00226BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                            • Instruction ID: 7136a17af79c6a2c3d254a664a6f62d8c138dfd7b80c499d0fe5ac416f76bf97
                            • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                            • Instruction Fuzzy Hash: B9D023B263330619CF484D706C0D71B30851F4030EF18447CE813DB1D1F714C23A8144
                            Function 00226B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNELBASE(00000000), ref: 00226B31
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 0a41b4f8ea48b0f20bfe35c12d74de8712c2212798e0f2aeba2b0f10e5dd986c
                            • Instruction ID: df0c06612a474f7dd85984f150f52a0ffedcdf45bd817c53608fb23f692163b6
                            • Opcode Fuzzy Hash: 0a41b4f8ea48b0f20bfe35c12d74de8712c2212798e0f2aeba2b0f10e5dd986c
                            • Instruction Fuzzy Hash: FBC02BE1A4E290DFDF0253109C447603F308F83300F0A10C1E4045B0D3C2041C0CC723
                            Function 002269D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                            • Instruction ID: 8ebaa2add00dc91388de46cfbf1bb7f944164d8fbe41aa28927a33d5a457187a
                            • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                            • Instruction Fuzzy Hash: 6CA024D7D3135111DD5C31303C0D41710001350307FC004FC7401C0111FF17D1345005
                            Function 00226AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                            • Instruction ID: 6373b6f9bd6ef6931a11de29bbbe149ea923d9f85feed1eac3248d436acca96e
                            • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                            • Instruction Fuzzy Hash: EEA012CEE2020111DD4410343809413101222E0605BD4C474640040115FE15C0242002
                            Function 00226BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            APIs
                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00226BAC
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: FreeVirtual
                            • String ID:
                            • API String ID: 1263568516-0
                            • Opcode ID: a25b3f554f6edc687ac2ed3cdbe8636a4b94d4b10fdb3d8e826b89fbee19c72d
                            • Instruction ID: d3c4816f2e1229c6c50e8e44bc11e1d990de6284add576f3720aee691e00bcab
                            • Opcode Fuzzy Hash: a25b3f554f6edc687ac2ed3cdbe8636a4b94d4b10fdb3d8e826b89fbee19c72d
                            • Instruction Fuzzy Hash: 3BA0027C681700B7EEA0AB347D4FF5937247781F05F3095447241690D05AE470449A5C
                            Function 002269F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: free
                            • String ID:
                            • API String ID: 1294909896-0
                            • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                            • Instruction ID: 7ffecf7000ef7cc88ddeee96820d73afb16c74e8240de79f0e7ceeb1bfdbae7c
                            • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                            • Instruction Fuzzy Hash:
                            Function 00226B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1821077448.00000000001A1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 001A0000, based on PE: true
                            • Associated: 0000000A.00000002.1821054225.00000000001A0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821144743.000000000024C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821169479.0000000000262000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1821188375.000000000026B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_1a0000_7zr.jbxd
                            Similarity
                            • API ID: free
                            • String ID:
                            • API String ID: 1294909896-0
                            • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                            • Instruction ID: 5cdf28eb571c656fb6bd4150867e8836fc2047b538871e4c938997b48d512f4c
                            • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                            • Instruction Fuzzy Hash: